android flesh out

2026-06-01 12:58:34 -04:00
parent ba73daa66c
commit 542172d1e8
183 changed files with 26946 additions and 761 deletions
--- a/piolium/attack-surface/candidates-summary.md
+++ b/piolium/attack-surface/candidates-summary.md
@@ -1,27 +1,27 @@
 # Candidate Scan

-Generated by piolium at 2026-05-28T13:00:30.318Z
+Generated by piolium at 2026-06-01T14:22:03.009Z

 ## Totals

- Files scanned: 730
- Candidate files: 218
- Candidate matches: 1412
+- Files scanned: 880
+- Candidate files: 259
+- Candidate matches: 1703
 - Per-file records: disabled (set PIOLIUM_FILE_RECORDS=1 to enable)

 ## Candidate Classes

- secret-literal: 9 match(es), max score 122. Hardcoded secret-like literal.
- command-execution: 55 match(es), max score 90. Potential command execution or shell invocation with variable input.
- dynamic-code-execution: 12 match(es), max score 90. Dynamic code execution, expression evaluation, or runtime compilation.
- raw-sql-query: 611 match(es), max score 87. Raw SQL construction or query execution that may need parameterization review.
- hidden-control-channel: 42 match(es), max score 87. Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.
+- secret-literal: 14 match(es), max score 122. Hardcoded secret-like literal.
+- command-execution: 65 match(es), max score 90. Potential command execution or shell invocation with variable input.
+- dynamic-code-execution: 27 match(es), max score 90. Dynamic code execution, expression evaluation, or runtime compilation.
+- raw-sql-query: 644 match(es), max score 87. Raw SQL construction or query execution that may need parameterization review.
+- hidden-control-channel: 165 match(es), max score 87. Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.
 - open-redirect: 2 match(es), max score 81. Redirect sink that may accept user-controlled URLs.
- path-traversal-file-access: 638 match(es), max score 79. Filesystem access using path joins or user-controllable paths.
- webhook-without-obvious-signature: 6 match(es), max score 79. Webhook handler path that should be checked for signature verification.
+- path-traversal-file-access: 688 match(es), max score 79. Filesystem access using path joins or user-controllable paths.
+- webhook-without-obvious-signature: 41 match(es), max score 79. Webhook handler path that should be checked for signature verification.
+- ssrf-capable-request: 26 match(es), max score 71. Outbound HTTP request site that may be attacker-controlled.
 - unsafe-html-or-template: 17 match(es), max score 71. HTML injection sink or template escape bypass.
- ssrf-capable-request: 10 match(es), max score 71. Outbound HTTP request site that may be attacker-controlled.
- weak-token-or-crypto: 5 match(es), max score 63. Token, JWT, randomness, or crypto usage that deserves review.
+- weak-token-or-crypto: 9 match(es), max score 63. Token, JWT, randomness, or crypto usage that deserves review.
 - public-entrypoint: 5 match(es), max score 54. Public route, handler, controller, workflow, or operation entry point.

 ## Top Files
@@ -35,47 +35,49 @@ Generated by piolium at 2026-05-28T13:00:30.318Z
 - `honker/tests/test_real_e2e_scenarios.py`: score 1810, 32 match(es)
 - `honker/tests/test_extension_interop.py`: score 1760, 32 match(es)
 - `honker/tests/test_stream.py`: score 1650, 30 match(es)
+- `web/src/server/services/hometitle/county-scrapers/unified-parser.ts`: score 1530, 18 match(es)
 - `honker/tests/test_tasks.py`: score 1485, 27 match(es)
+- `web/src/routes/api/stripe/webhook.test.ts`: score 1422, 18 match(es)
 - `honker/tests/test_task_results.py`: score 1375, 25 match(es)
 - `honker/tests/test_outbox.py`: score 1320, 24 match(es)
 - `honker/packages/honker/python/honker/_honker.py`: score 1265, 23 match(es)
+- `web/src/server/services/darkwatch/shodan.client.ts`: score 1265, 23 match(es)
+- `web/src/routes/api/stripe/webhook.ts`: score 1239, 16 match(es)
+- `web/src/middleware.ts`: score 1197, 19 match(es)
+- `web/src/server/services/darkwatch/shodan.client.test.ts`: score 1190, 21 match(es)
 - `honker/packages/honker-node/test/basic.js`: score 1155, 21 match(es)
+- `web/src/server/websocket.ts`: score 1155, 21 match(es)
 - `honker/packages/honker-bun/test/watcher_backends_queue_e2e.test.ts`: score 1150, 20 match(es)
 - `honker/packages/honker-node/api.js`: score 1134, 18 match(es)
 - `honker/packages/honker-bun/test/parity.test.ts`: score 1115, 17 match(es)
+- `web/src/server/api/routers/removebrokers.ts`: score 1106, 14 match(es)
 - `honker/tests/test_multiprocess.py`: score 1065, 18 match(es)
 - `honker/packages/honker-bun/test/python_interop.test.ts`: score 930, 16 match(es)
 - `honker/bench/real_bench.py`: score 925, 15 match(es)
 - `honker/packages/honker-node/test/watcher_backends_e2e.js`: score 905, 16 match(es)
 - `honker/tests/test_crash_recovery.py`: score 905, 16 match(es)
 - `honker/packages/honker-bun/test/basic.test.ts`: score 880, 16 match(es)
+- `web/src/server/websocket.test.ts`: score 880, 16 match(es)
 - `honker/packages/honker-node/examples/atomic.js`: score 825, 15 match(es)
+- `web/src/server/api/routers/correlation.test.ts`: score 790, 10 match(es)
 - `honker/bench/ext_bench.py`: score 770, 14 match(es)
 - `honker/packages/honker-jvm/src/main/java/dev/honker/Database.java`: score 770, 14 match(es)
 - `honker/packages/honker-ruby/spec/parity_spec.rb`: score 770, 14 match(es)
 - `honker/tests/test_phase_mantle.py`: score 770, 14 match(es)
 - `honker/tests/test_task_expiration.py`: score 715, 13 match(es)
 - `honker/tests/test_task_locking.py`: score 715, 13 match(es)
- `honker/tests/test_worker_task_options.py`: score 715, 13 match(es)
- `honker/packages/honker-node/test/watcher_backends_queue_e2e.js`: score 710, 12 match(es)
- `honker/packages/honker-jvm/src/main/java/dev/honker/Queue.java`: score 660, 12 match(es)
- `honker/packages/honker-node/test/cross_lang_python_to_node.js`: score 660, 12 match(es)
- `honker/packages/honker-ruby/lib/honker.rb`: score 660, 12 match(es)
- `honker/packages/honker-ruby/spec/honker_spec.rb`: score 655, 11 match(es)
- `honker/tests/test_time_triggers_e2e.py`: score 630, 11 match(es)
- `web/src/middleware.ts`: score 630, 10 match(es)
- `web/src/routes/api/stripe/webhook.ts`: score 607, 8 match(es)
- `honker/packages/honker/python/honker/_scheduler.py`: score 605, 11 match(es)

 ## Highest-Ranked Matches

- secret-literal (precise, score 122) at `web/src/server/api/routers/billing.test.ts:164` - clientSecret: "cs_123_secret",
+- secret-literal (precise, score 122) at `web/src/server/api/routers/billing.test.ts:220` - clientSecret: "cs_123_secret",
 - secret-literal (precise, score 106) at `web/src/routes/(auth)/login.tsx:30` - if (!password()) errs.password = "Password is required";
 - secret-literal (precise, score 106) at `web/src/routes/(auth)/reset-password.tsx:27` - if (!password()) errs.password = "Password is required";
 - secret-literal (precise, score 106) at `web/src/routes/(auth)/reset-password.tsx:29` - errs.password = "Password must be at least 8 characters";
 - secret-literal (precise, score 106) at `web/src/routes/(auth)/signup.tsx:66` - if (!password()) errs.password = "Password is required";
 - secret-literal (precise, score 106) at `web/src/routes/(auth)/signup.tsx:68` - errs.password = "Password must be at least 8 characters";
- secret-literal (precise, score 98) at `web/src/server/services/billing.service.test.ts:116` - client_secret: "cs_123_secret",
+- secret-literal (precise, score 98) at `web/src/server/services/billing.service.test.ts:140` - client_secret: "cs_123_secret",
+- secret-literal (precise, score 98) at `web/src/server/services/billing.service.test.ts:178` - client_secret: "cs_trial_secret",
+- secret-literal (precise, score 98) at `web/src/server/services/billing.service.test.ts:216` - client_secret: "cs_upgrade_secret",
 - dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/examples/atomic.ts:21` - db.raw.exec(
 - dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/src/index.ts:343` - this.raw.exec("BEGIN IMMEDIATE");
 - dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/src/index.ts:422` - raw.exec("PRAGMA busy_timeout = 5000;");
@@ -94,17 +96,35 @@ Generated by piolium at 2026-05-28T13:00:30.318Z
 - command-execution (precise, score 90) at `honker/packages/honker-go/watcher_backends_queue_test.go:194` - cmd := exec.Command(os.Args[0], "-test.run", "^TestWatcherBackendQueueHelper$")
 - command-execution (precise, score 90) at `honker/packages/honker-go/watcher_backends_queue_test.go:226` - cmd := exec.Command(os.Args[0], "-test.run", "^TestWatcherBackendQueueHelper$")
 - dynamic-code-execution (precise, score 90) at `honker/scripts/test_sqlite_versions.py:103` - assert rc == SQLITE_OK, f"exec({sql!r}) failed: {rc}"
+- dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:216` - model.eval()
+- dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:216` - model.eval()
+- dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:216` - model.eval()
+- dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:280` - model.eval()
+- dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:280` - model.eval()
+- dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:280` - model.eval()
+- secret-literal (precise, score 90) at `web/src/server/services/darkwatch/hibp.client.test.ts:65` - const apiKey = "test-api-key";
+- secret-literal (precise, score 90) at `web/src/server/services/darkwatch/shodan.client.test.ts:13` - const apiKey = "test-shodan-key";
+- secret-literal (precise, score 90) at `web/src/server/services/hometitle/attom.client.test.ts:170` - const apiKey = "test-attom-api-key";
+- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:101` - while ((tableMatch = tableRegex.exec(html)) !== null) {
+- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:127` - while ((rowMatch = rowRegex.exec(tableHtml)) !== null) {
+- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:153` - while ((match = cellRegex.exec(headerRowHtml)) !== null) {
+- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:160` - while ((match = tdRegex.exec(headerRowHtml)) !== null) {
+- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:199` - while ((match = cellRegex.exec(rowHtml)) !== null) {
+- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:294` - while ((match = labelSpanPattern.exec(html)) !== null) {
+- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:302` - while ((match = thTdPattern.exec(html)) !== null) {
+- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:310` - while ((match = divFieldPattern.exec(html)) !== null) {
+- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:318` - while ((match = plainLabelPattern.exec(html)) !== null) {
 - secret-literal (precise, score 90) at `web/src/server/services/notification.service.test.ts:220` - token: "existing-token",
 - secret-literal (precise, score 90) at `web/src/server/services/notification.service.test.ts:256` - token: "other-user-token",
 - raw-sql-query (normal, score 87) at `web/src/server/api/routers/admin.ts:40` - stats: adminProcedure.query(async ({ ctx }) => {
 - raw-sql-query (normal, score 87) at `web/src/server/api/routers/admin.ts:58` - blogList: adminProcedure.query(async ({ ctx }) => {
 - raw-sql-query (normal, score 87) at `web/src/server/api/routers/admin.ts:64` - .query(async ({ ctx, input }) => {
 - raw-sql-query (normal, score 87) at `web/src/server/api/routers/admin.ts:137` - userList: adminProcedure.query(async ({ ctx }) => {
- hidden-control-channel (normal, score 87) at `web/src/server/api/routers/billing.test.ts:73` - const isAuthed = t.middleware(({ ctx, next }) => {
- raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.test.ts:80` - .query(async () => {
- raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.test.ts:113` - .query(async ({ ctx, input }) => {
- raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.ts:33` - getSubscription: protectedProcedure.query(async ({ ctx }) => {
- raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.ts:155` - .query(async ({ ctx, input }) => {
+- hidden-control-channel (normal, score 87) at `web/src/server/api/routers/billing.test.ts:95` - const isAuthed = t.middleware(({ ctx, next }) => {
+- raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.test.ts:102` - .query(async () => {
+- raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.test.ts:168` - .query(async ({ ctx, input }) => {
+- raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.ts:43` - getSubscription: protectedProcedure.query(async ({ ctx }) => {
+- raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.ts:304` - .query(async ({ ctx, input }) => {
 - open-redirect (normal, score 81) at `web/src/routes/(admin)/blog/index.tsx:32` - if (redirect()) return <Navigate href="/admin/blog/new" />;
 - command-execution (precise, score 80) at `honker/bench/real_bench.py:180` - def spawn(script: str) -> subprocess.Popen:
 - command-execution (precise, score 80) at `honker/bench/real_bench.py:181` - return subprocess.Popen(
@@ -129,26 +149,6 @@ Generated by piolium at 2026-05-28T13:00:30.318Z
 - command-execution (precise, score 80) at `honker/packages/honker-node/index.js:56` - return require('child_process').execSync('ldd --version', { encoding: 'utf8' }).includes('musl')
 - command-execution (precise, score 80) at `honker/packages/honker-node/native.js:56` - return require('child_process').execSync('ldd --version', { encoding: 'utf8' }).includes('musl')
 - command-execution (precise, score 80) at `honker/packages/honker-node/test/cross_lang_shared.js:28` - return spawn(PYTHON, ['-c', script], { stdio });
- command-execution (precise, score 80) at `honker/packages/honker-node/test/watcher_backends_e2e.js:29` - return spawn(process.execPath, ['-e', script], {
- command-execution (precise, score 80) at `honker/packages/honker-node/test/watcher_backends_queue_e2e.js:38` - return spawn(process.execPath, ['-e', script], {
- command-execution (precise, score 80) at `honker/packages/honker-node/test/watcher_backends_queue_e2e.js:155` - const res = spawnSync(process.execPath, ['-e', script], {
- command-execution (precise, score 80) at `honker/packages/honker-ruby/ext/honker/extconf.rb:24` - cargo_found = system("cargo", "--version", out: File::NULL, err: File::NULL)
- command-execution (precise, score 80) at `honker/packages/honker-ruby/ext/honker/extconf.rb:48` - system(
- command-execution (precise, score 80) at `honker/packages/honker-ruby/spec/honker_spec.rb:176` - pid = Process.spawn(
- command-execution (precise, score 80) at `honker/packages/honker-ruby/spec/honker_spec.rb:191` - Process.spawn(
- command-execution (precise, score 80) at `honker/packages/honker-ruby/spec/railtie_spec.rb:36` - out = IO.popen([RbConfig.ruby, "-e", script], &:read)
- command-execution (precise, score 80) at `honker/scripts/test_sqlite_versions.py:44` - out = subprocess.check_output(["otool", "-L", mod_path], text=True)
- command-execution (precise, score 80) at `honker/scripts/test_sqlite_versions.py:103` - assert rc == SQLITE_OK, f"exec({sql!r}) failed: {rc}"
- command-execution (precise, score 80) at `honker/tests/test_crash_recovery.py:54` - return subprocess.Popen(
- command-execution (precise, score 80) at `honker/tests/test_cross_process_wake_latency.py:72` - proc = subprocess.Popen(
- command-execution (precise, score 80) at `honker/tests/test_fault_injection.py:112` - subprocess.run(
- command-execution (precise, score 80) at `honker/tests/test_fault_injection.py:143` - subprocess.run(["umount", str(mount_dir)], check=False)
- command-execution (precise, score 80) at `honker/tests/test_joblite.py:79` - return subprocess.Popen(
- command-execution (precise, score 80) at `honker/tests/test_multiprocess.py:63` - return subprocess.run(
- command-execution (precise, score 80) at `honker/tests/test_multiprocess.py:219` - return subprocess.run(
- command-execution (precise, score 80) at `honker/tests/test_multiprocess.py:277` - return subprocess.run(
- command-execution (precise, score 80) at `honker/tests/test_real_e2e_scenarios.py:270` - return subprocess.Popen(
- command-execution (precise, score 80) at `honker/tests/test_real_e2e_scenarios.py:279` - return subprocess.run(

 ## Custom Matchers

--- a/piolium/attack-surface/candidates.jsonl
+++ b/piolium/attack-surface/candidates.jsonl
@@ -1,10 +1,12 @@
-{"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/api/routers/billing.test.ts","line":164,"snippet":"clientSecret: \"cs_123_secret\",","matchedPattern":"secret assignment","score":122,"source":"builtin"}
+{"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/api/routers/billing.test.ts","line":220,"snippet":"clientSecret: \"cs_123_secret\",","matchedPattern":"secret assignment","score":122,"source":"builtin"}
 {"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/routes/(auth)/login.tsx","line":30,"snippet":"if (!password()) errs.password = \"Password is required\";","matchedPattern":"secret assignment","score":106,"source":"builtin"}
 {"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/routes/(auth)/reset-password.tsx","line":27,"snippet":"if (!password()) errs.password = \"Password is required\";","matchedPattern":"secret assignment","score":106,"source":"builtin"}
 {"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/routes/(auth)/reset-password.tsx","line":29,"snippet":"errs.password = \"Password must be at least 8 characters\";","matchedPattern":"secret assignment","score":106,"source":"builtin"}
 {"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/routes/(auth)/signup.tsx","line":66,"snippet":"if (!password()) errs.password = \"Password is required\";","matchedPattern":"secret assignment","score":106,"source":"builtin"}
 {"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/routes/(auth)/signup.tsx","line":68,"snippet":"errs.password = \"Password must be at least 8 characters\";","matchedPattern":"secret assignment","score":106,"source":"builtin"}
-{"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/services/billing.service.test.ts","line":116,"snippet":"client_secret: \"cs_123_secret\",","matchedPattern":"secret assignment","score":98,"source":"builtin"}
+{"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/services/billing.service.test.ts","line":140,"snippet":"client_secret: \"cs_123_secret\",","matchedPattern":"secret assignment","score":98,"source":"builtin"}
+{"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/services/billing.service.test.ts","line":178,"snippet":"client_secret: \"cs_trial_secret\",","matchedPattern":"secret assignment","score":98,"source":"builtin"}
+{"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/services/billing.service.test.ts","line":216,"snippet":"client_secret: \"cs_upgrade_secret\",","matchedPattern":"secret assignment","score":98,"source":"builtin"}
 {"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"honker/packages/honker-bun/examples/atomic.ts","line":21,"snippet":"db.raw.exec(","matchedPattern":"python eval","score":90,"source":"builtin"}
 {"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"honker/packages/honker-bun/src/index.ts","line":343,"snippet":"this.raw.exec(\"BEGIN IMMEDIATE\");","matchedPattern":"python eval","score":90,"source":"builtin"}
 {"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"honker/packages/honker-bun/src/index.ts","line":422,"snippet":"raw.exec(\"PRAGMA busy_timeout = 5000;\");","matchedPattern":"python eval","score":90,"source":"builtin"}
@@ -23,17 +25,35 @@
 {"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"honker/packages/honker-go/watcher_backends_queue_test.go","line":194,"snippet":"cmd := exec.Command(os.Args[0], \"-test.run\", \"^TestWatcherBackendQueueHelper$\")","matchedPattern":"go command","score":90,"source":"builtin"}
 {"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"honker/packages/honker-go/watcher_backends_queue_test.go","line":226,"snippet":"cmd := exec.Command(os.Args[0], \"-test.run\", \"^TestWatcherBackendQueueHelper$\")","matchedPattern":"go command","score":90,"source":"builtin"}
 {"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"honker/scripts/test_sqlite_versions.py","line":103,"snippet":"assert rc == SQLITE_OK, f\"exec({sql!r}) failed: {rc}\"","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"ml/spam-classifier/train.py","line":216,"snippet":"model.eval()","matchedPattern":"eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"ml/spam-classifier/train.py","line":216,"snippet":"model.eval()","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"ml/spam-classifier/train.py","line":216,"snippet":"model.eval()","matchedPattern":"ruby eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"ml/spam-classifier/train.py","line":280,"snippet":"model.eval()","matchedPattern":"eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"ml/spam-classifier/train.py","line":280,"snippet":"model.eval()","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"ml/spam-classifier/train.py","line":280,"snippet":"model.eval()","matchedPattern":"ruby eval","score":90,"source":"builtin"}
+{"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/services/darkwatch/hibp.client.test.ts","line":65,"snippet":"const apiKey = \"test-api-key\";","matchedPattern":"secret assignment","score":90,"source":"builtin"}
+{"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":13,"snippet":"const apiKey = \"test-shodan-key\";","matchedPattern":"secret assignment","score":90,"source":"builtin"}
+{"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/services/hometitle/attom.client.test.ts","line":170,"snippet":"const apiKey = \"test-attom-api-key\";","matchedPattern":"secret assignment","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":101,"snippet":"while ((tableMatch = tableRegex.exec(html)) !== null) {","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":127,"snippet":"while ((rowMatch = rowRegex.exec(tableHtml)) !== null) {","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":153,"snippet":"while ((match = cellRegex.exec(headerRowHtml)) !== null) {","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":160,"snippet":"while ((match = tdRegex.exec(headerRowHtml)) !== null) {","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":199,"snippet":"while ((match = cellRegex.exec(rowHtml)) !== null) {","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":294,"snippet":"while ((match = labelSpanPattern.exec(html)) !== null) {","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":302,"snippet":"while ((match = thTdPattern.exec(html)) !== null) {","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":310,"snippet":"while ((match = divFieldPattern.exec(html)) !== null) {","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":318,"snippet":"while ((match = plainLabelPattern.exec(html)) !== null) {","matchedPattern":"python eval","score":90,"source":"builtin"}
 {"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/services/notification.service.test.ts","line":220,"snippet":"token: \"existing-token\",","matchedPattern":"secret assignment","score":90,"source":"builtin"}
 {"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/services/notification.service.test.ts","line":256,"snippet":"token: \"other-user-token\",","matchedPattern":"secret assignment","score":90,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/admin.ts","line":40,"snippet":"stats: adminProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":87,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/admin.ts","line":58,"snippet":"blogList: adminProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":87,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/admin.ts","line":64,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":87,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/admin.ts","line":137,"snippet":"userList: adminProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":87,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/billing.test.ts","line":73,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":87,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/billing.test.ts","line":80,"snippet":".query(async () => {","matchedPattern":"query call","score":87,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/billing.test.ts","line":113,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":87,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/billing.ts","line":33,"snippet":"getSubscription: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":87,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/billing.ts","line":155,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":87,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/billing.test.ts","line":95,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":87,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/billing.test.ts","line":102,"snippet":".query(async () => {","matchedPattern":"query call","score":87,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/billing.test.ts","line":168,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":87,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/billing.ts","line":43,"snippet":"getSubscription: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":87,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/billing.ts","line":304,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":87,"source":"builtin"}
 {"slug":"open-redirect","description":"Redirect sink that may accept user-controlled URLs.","noise":"normal","filePath":"web/src/routes/(admin)/blog/index.tsx","line":32,"snippet":"if (redirect()) return <Navigate href=\"/admin/blog/new\" />;","matchedPattern":"redirect call","score":81,"source":"builtin"}
 {"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"honker/bench/real_bench.py","line":180,"snippet":"def spawn(script: str) -> subprocess.Popen:","matchedPattern":"node child_process","score":80,"source":"builtin"}
 {"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"honker/bench/real_bench.py","line":181,"snippet":"return subprocess.Popen(","matchedPattern":"python process","score":80,"source":"builtin"}
@@ -84,28 +104,72 @@
 {"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"honker/tests/test_watcher_backends_e2e.py","line":98,"snippet":"proc = subprocess.Popen(","matchedPattern":"python process","score":80,"source":"builtin"}
 {"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"honker/tests/test_watcher_backends_queue_e2e.py","line":116,"snippet":"proc = subprocess.Popen(","matchedPattern":"python process","score":80,"source":"builtin"}
 {"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"honker/tests/test_watcher_backends_queue_e2e.py","line":181,"snippet":"res = subprocess.run(","matchedPattern":"python process","score":80,"source":"builtin"}
-{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":2,"snippet":"import { stripe } from \"~/server/stripe\";","matchedPattern":"webhook route","score":79,"source":"builtin"}
-{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":2,"snippet":"import { stripe } from \"~/server/stripe\";","matchedPattern":"webhook route","score":79,"source":"builtin"}
-{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":7,"snippet":"const signature = event.request.headers.get(\"stripe-signature\");","matchedPattern":"webhook route","score":79,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":7,"snippet":"const signature = event.request.headers.get(\"stripe-signature\");","matchedPattern":"request header read","score":79,"source":"builtin"}
-{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":10,"snippet":"return new Response(\"Missing stripe-signature header\", { status: 400 });","matchedPattern":"webhook route","score":79,"source":"builtin"}
-{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":14,"snippet":"const webhookEvent = stripe.webhooks.constructEvent(","matchedPattern":"webhook route","score":79,"source":"builtin"}
-{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":24,"snippet":"const message = err instanceof Error ? err.message : \"Webhook error\";","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/scrapers/county-data.ts","line":536,"snippet":"notes: \"Massachusetts Land Records system (Middlesex County).\",","matchedPattern":"php process","score":80,"source":"builtin"}
+{"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":101,"snippet":"while ((tableMatch = tableRegex.exec(html)) !== null) {","matchedPattern":"node child_process","score":80,"source":"builtin"}
+{"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":127,"snippet":"while ((rowMatch = rowRegex.exec(tableHtml)) !== null) {","matchedPattern":"node child_process","score":80,"source":"builtin"}
+{"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":153,"snippet":"while ((match = cellRegex.exec(headerRowHtml)) !== null) {","matchedPattern":"node child_process","score":80,"source":"builtin"}
+{"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":160,"snippet":"while ((match = tdRegex.exec(headerRowHtml)) !== null) {","matchedPattern":"node child_process","score":80,"source":"builtin"}
+{"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":199,"snippet":"while ((match = cellRegex.exec(rowHtml)) !== null) {","matchedPattern":"node child_process","score":80,"source":"builtin"}
+{"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":294,"snippet":"while ((match = labelSpanPattern.exec(html)) !== null) {","matchedPattern":"node child_process","score":80,"source":"builtin"}
+{"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":302,"snippet":"while ((match = thTdPattern.exec(html)) !== null) {","matchedPattern":"node child_process","score":80,"source":"builtin"}
+{"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":310,"snippet":"while ((match = divFieldPattern.exec(html)) !== null) {","matchedPattern":"node child_process","score":80,"source":"builtin"}
+{"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":318,"snippet":"while ((match = plainLabelPattern.exec(html)) !== null) {","matchedPattern":"node child_process","score":80,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":4,"snippet":"vi.mock(\"~/server/stripe\", () => ({","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":5,"snippet":"stripe: {","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":44,"snippet":"describe(\"Webhook handler\", () => {","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":50,"snippet":"const { POST } = await import(\"./webhook\");","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":56,"snippet":"const { POST } = await import(\"./webhook\");","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":67,"snippet":"url: \"http://localhost/api/stripe/webhook\",","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":67,"snippet":"url: \"http://localhost/api/stripe/webhook\",","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":75,"snippet":"const { stripe } = await import(\"~/server/stripe\");","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":75,"snippet":"const { stripe } = await import(\"~/server/stripe\");","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":81,"snippet":"vi.mocked(stripe.webhooks.constructEvent).mockReturnValue(mockEvent as any);","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":83,"snippet":"expect(stripe.webhooks.constructEvent).toBeDefined();","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":89,"snippet":"\"~/server/db/schema/webhook-events\"","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":99,"snippet":"it(\"should clean up old webhook events\", async () => {","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":102,"snippet":"\"~/server/db/schema/webhook-events\"","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":113,"snippet":"const { cleanupWebhookEvents } = await import(\"./webhook\");","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":119,"snippet":"describe(\"Webhook deduplication\", () => {","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":142,"snippet":"describe(\"Webhook idempotency\", () => {","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":154,"snippet":"it(\"should handle all critical Stripe event types\", async () => {","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":4,"snippet":"import { stripe } from \"~/server/stripe\";","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":4,"snippet":"import { stripe } from \"~/server/stripe\";","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":6,"snippet":"import { stripeWebhookEvents } from \"~/server/db/schema/webhook-events\";","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":9,"snippet":"* Cleans up webhook event records older than 30 days to prevent unbounded table growth.","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":17,"snippet":"console.log(\"[webhook] Cleaned up old webhook event records (30+ days)\");","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":17,"snippet":"console.log(\"[webhook] Cleaned up old webhook event records (30+ days)\");","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":19,"snippet":"console.error(\"[webhook] Failed to clean up old webhook events:\", err);","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":19,"snippet":"console.error(\"[webhook] Failed to clean up old webhook events:\", err);","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":25,"snippet":"const signature = event.request.headers.get(\"stripe-signature\");","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":25,"snippet":"const signature = event.request.headers.get(\"stripe-signature\");","matchedPattern":"request header read","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":28,"snippet":"return new Response(\"Missing stripe-signature header\", { status: 400 });","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":32,"snippet":"const webhookEvent = stripe.webhooks.constructEvent(","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":38,"snippet":"// Check for duplicate event ID (webhook replay protection)","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":47,"snippet":"`[webhook] Duplicate event ${webhookEvent.id} (${webhookEvent.type}) — skipping`,","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":65,"snippet":"const message = err instanceof Error ? err.message : \"Webhook error\";","matchedPattern":"webhook route","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/api.ts","line":7,"snippet":"hello: publicProcedure.query(() => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/blog.ts","line":18,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/blog.ts","line":46,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/blog.ts","line":77,"snippet":"tags: publicProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":40,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":48,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":53,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":58,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":63,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":71,"snippet":"getStats: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":15,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":21,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":27,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":33,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":43,"snippet":"getStats: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":51,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":59,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":64,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":69,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":74,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":82,"snippet":"getStats: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":85,"snippet":"getThreatScore: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":88,"snippet":"getThreatScoreTrend: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":91,"snippet":"getRecommendations: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":96,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":17,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":24,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":31,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":38,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":50,"snippet":"getStats: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":55,"snippet":"getThreatScore: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":60,"snippet":"getThreatScoreTrend: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":65,"snippet":"getRecommendations: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":72,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/darkwatch.test.ts","line":45,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/darkwatch.test.ts","line":51,"snippet":"getWatchlist: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/darkwatch.test.ts","line":66,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
@@ -119,6 +183,12 @@
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/darkwatch.ts","line":54,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/example.ts","line":8,"snippet":".query(({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/extension.ts","line":10,"snippet":"getAuthStatus: publicProcedure.input(wrap(GetAuthStatusSchema)).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/family.ts","line":48,"snippet":"getGroup: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/family.ts","line":90,"snippet":"getDashboard: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/family.ts","line":100,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/family.ts","line":165,"snippet":"listInvitations: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/family.ts","line":241,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/family.ts","line":263,"snippet":"getAlertRouting: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/hometitle.test.ts","line":42,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/hometitle.test.ts","line":48,"snippet":"getProperties: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/hometitle.test.ts","line":63,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
@@ -136,11 +206,20 @@
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.test.ts","line":63,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.test.ts","line":68,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.test.ts","line":76,"snippet":"getStats: t.procedure.use(isAuthed).query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":13,"snippet":"getBrokerRegistry: protectedProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":19,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":31,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":37,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":47,"snippet":"getStats: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":15,"snippet":"getBrokerRegistry: protectedProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":21,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":33,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":39,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":49,"snippet":"getStats: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":54,"snippet":"getEnhancedStats: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":59,"snippet":"getCaptchaSolverStatus: protectedProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":73,"snippet":"getReListingStats: protectedProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":78,"snippet":"getAdapterSystemHealth: protectedProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":82,"snippet":"getBrokenAdapters: protectedProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":92,"snippet":"getAllAdapterHealth: protectedProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":97,"snippet":"getMonthlyCosts: protectedProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":101,"snippet":"getCostPerUser: protectedProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":105,"snippet":"getCostHistory: protectedProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/reports.test.ts","line":40,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/reports.test.ts","line":48,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/reports.test.ts","line":58,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
@@ -152,31 +231,37 @@
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/api/routers/scheduler.ts","line":20,"snippet":"throw new Error(`Invalid job type: ${type}. Must be one of: ${JOB_TYPES.join(\", \")}`);","matchedPattern":"path join","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/scheduler.ts","line":30,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/scheduler.ts","line":49,"snippet":".query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":46,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":54,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":59,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":64,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":67,"snippet":"getRules: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":87,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":17,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":23,"snippet":".query(async ({ input, ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":29,"snippet":".query(async ({ input, ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":38,"snippet":"getRules: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":73,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":53,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":61,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":66,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":71,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":74,"snippet":"getRules: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":94,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":18,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":24,"snippet":".query(async ({ input, ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":30,"snippet":".query(async ({ input, ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":39,"snippet":"getRules: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":74,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":78,"snippet":"modelInfo: publicProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/user.test.ts","line":40,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/user.test.ts","line":46,"snippet":"me: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/user.test.ts","line":60,"snippet":".query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/user.ts","line":46,"snippet":"me: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/user.ts","line":63,"snippet":"listFamilyMembers: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":43,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":49,"snippet":"getEnrollments: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":69,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":74,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":79,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":14,"snippet":"getEnrollments: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":38,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":44,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":50,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":51,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":57,"snippet":"getEnrollments: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":90,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":95,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":100,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":103,"snippet":"getUsageStats: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":22,"snippet":"getEnrollments: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":65,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":71,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":77,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":81,"snippet":"getUsageStats: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":109,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":122,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":129,"snippet":"getCallAnalysisSettings: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(admin)/blog/[slug].tsx","line":25,"snippet":"api.admin.blogGet.query({ id: params.slug }).then(data => {","matchedPattern":"query call","score":71,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/(admin)/blog/[slug].tsx","line":55,"snippet":"tags: tags().join(\",\"),","matchedPattern":"path join","score":71,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/(admin)/blog/[slug].tsx","line":122,"snippet":"].join(\" \")}","matchedPattern":"path join","score":71,"source":"builtin"}
@@ -197,6 +282,15 @@
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/routes/(auth)/signup.tsx","line":113,"snippet":"redirectUrlComplete: window.location.origin + \"/onboarding\",","matchedPattern":"proxy or original request header","score":71,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/routes/billing/checkout.tsx","line":33,"snippet":"const returnUrl = `${window.location.origin}/billing/return`;","matchedPattern":"proxy or original request header","score":71,"source":"builtin"}
 {"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/routes/billing/return.tsx","line":23,"snippet":"const response = await fetch(`/api/stripe/session-status?session_id=${sessionId}`);","matchedPattern":"fetch/http client","score":71,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/server/api/schemas/webhook.test.ts","line":7,"snippet":"} from \"./webhook\";","matchedPattern":"webhook route","score":71,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/server/api/schemas/webhook.test.ts","line":168,"snippet":"describe(\"Webhook data validation - malformed payloads\", () => {","matchedPattern":"webhook route","score":71,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/server/api/schemas/webhook.ts","line":4,"snippet":"* Validates a Stripe Checkout Session object from webhook data.","matchedPattern":"webhook route","score":71,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/server/api/schemas/webhook.ts","line":4,"snippet":"* Validates a Stripe Checkout Session object from webhook data.","matchedPattern":"webhook route","score":71,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/server/api/schemas/webhook.ts","line":17,"snippet":"* Price item inside a Stripe Subscription.","matchedPattern":"webhook route","score":71,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/server/api/schemas/webhook.ts","line":28,"snippet":"* Validates a Stripe Subscription object from webhook data.","matchedPattern":"webhook route","score":71,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/server/api/schemas/webhook.ts","line":28,"snippet":"* Validates a Stripe Subscription object from webhook data.","matchedPattern":"webhook route","score":71,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/server/api/schemas/webhook.ts","line":50,"snippet":"* Validates a Stripe Invoice object from webhook data.","matchedPattern":"webhook route","score":71,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/server/api/schemas/webhook.ts","line":50,"snippet":"* Validates a Stripe Invoice object from webhook data.","matchedPattern":"webhook route","score":71,"source":"builtin"}
 {"slug":"open-redirect","description":"Redirect sink that may accept user-controlled URLs.","noise":"normal","filePath":"web/src/app.tsx","line":40,"snippet":"<Show when={redirect()} keyed>","matchedPattern":"redirect call","score":65,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"browser-ext/tests/api-client.test.ts","line":55,"snippet":"const result = await client.spamshield.checkNumber.query({","matchedPattern":"query call","score":63,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"browser-ext/tests/api-client.test.ts","line":64,"snippet":"const result = await client.spamshield.classifySMS.query({","matchedPattern":"query call","score":63,"source":"builtin"}
@@ -232,33 +326,49 @@
 {"slug":"unsafe-html-or-template","description":"HTML injection sink or template escape bypass.","noise":"normal","filePath":"web/src/components/auth/auth.test.tsx","line":28,"snippet":"document.body.innerHTML = \"\";","matchedPattern":"dangerous html","score":63,"source":"builtin"}
 {"slug":"weak-token-or-crypto","description":"Token, JWT, randomness, or crypto usage that deserves review.","noise":"normal","filePath":"web/src/components/auth/PasswordInput.tsx","line":25,"snippet":"Math.random().toString(36).slice(2, 10);","matchedPattern":"weak random","score":63,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/hooks/useAuth.ts","line":7,"snippet":"return await api.user.me.query();","matchedPattern":"query call","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.test.ts","line":4,"snippet":"* Mirrors the isValidCorsOrigin function from middleware.ts","matchedPattern":"identity or internal control header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.test.ts","line":6,"snippet":"function isValidCorsOrigin(origin: string): boolean {","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.test.ts","line":7,"snippet":"if (!origin || !origin.trim()) return false;","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.test.ts","line":7,"snippet":"if (!origin || !origin.trim()) return false;","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.test.ts","line":8,"snippet":"if (origin === \"*\") return false;","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.test.ts","line":11,"snippet":"const parsed = new URL(origin);","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":1,"snippet":"import { createMiddleware, type RequestMiddleware } from \"@solidjs/start/middleware\";","matchedPattern":"identity or internal control header","score":63,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":12,"snippet":"h.set(\"Referrer-Policy\", \"strict-origin-when-cross-origin\");","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":12,"snippet":"h.set(\"Referrer-Policy\", \"strict-origin-when-cross-origin\");","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":22,"snippet":"const origin = event.request.headers.get(\"origin\");","matchedPattern":"request header read","score":63,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":22,"snippet":"const origin = event.request.headers.get(\"origin\");","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":22,"snippet":"const origin = event.request.headers.get(\"origin\");","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":29,"snippet":"if (origin && allowedOrigins.includes(origin)) {","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":29,"snippet":"if (origin && allowedOrigins.includes(origin)) {","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":30,"snippet":"event.response.headers.set(\"Access-Control-Allow-Origin\", origin);","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":30,"snippet":"event.response.headers.set(\"Access-Control-Allow-Origin\", origin);","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":22,"snippet":"* Validates that an origin string is a well-formed HTTP(S) origin.","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":22,"snippet":"* Validates that an origin string is a well-formed HTTP(S) origin.","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":25,"snippet":"function isValidCorsOrigin(origin: string): boolean {","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":26,"snippet":"if (!origin || !origin.trim()) return false;","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":26,"snippet":"if (!origin || !origin.trim()) return false;","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":27,"snippet":"if (origin === \"*\") return false;","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":30,"snippet":"const parsed = new URL(origin);","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":42,"snippet":"const origin = event.request.headers.get(\"origin\");","matchedPattern":"request header read","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":42,"snippet":"const origin = event.request.headers.get(\"origin\");","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":42,"snippet":"const origin = event.request.headers.get(\"origin\");","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":48,"snippet":"// Validate APP_URL before trusting it as a CORS origin","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":54,"snippet":"console.warn(`[cors] APP_URL \"${appUrl}\" is not a valid HTTP(S) origin and will be excluded from CORS allowlist`);","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":58,"snippet":"if (origin && allowedOrigins.includes(origin)) {","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":58,"snippet":"if (origin && allowedOrigins.includes(origin)) {","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":59,"snippet":"event.response.headers.set(\"Access-Control-Allow-Origin\", origin);","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":59,"snippet":"event.response.headers.set(\"Access-Control-Allow-Origin\", origin);","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/darkwatch.tsx","line":21,"snippet":"() => api.darkwatch.getWatchlist.query(),","matchedPattern":"query call","score":63,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/darkwatch.tsx","line":25,"snippet":"() => api.darkwatch.getExposures.query({ page: 1, limit: 20 }),","matchedPattern":"query call","score":63,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/hometitle.tsx","line":21,"snippet":"() => api.hometitle.getProperties.query(),","matchedPattern":"query call","score":63,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/removebrokers.tsx","line":20,"snippet":"() => api.removebrokers.getBrokerRegistry.query(),","matchedPattern":"query call","score":63,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/removebrokers.tsx","line":24,"snippet":"() => api.removebrokers.getRemovalRequests.query({ page: 1, limit: 20 }),","matchedPattern":"query call","score":63,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/removebrokers.tsx","line":27,"snippet":"() => api.removebrokers.getStats.query(),","matchedPattern":"query call","score":63,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/removebrokers.tsx","line":51,"snippet":"() => api.removebrokers.getBrokerRegistry.query(),","matchedPattern":"query call","score":63,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/removebrokers.tsx","line":55,"snippet":"() => api.removebrokers.getRemovalRequests.query({ page: 1, limit: 20 }),","matchedPattern":"query call","score":63,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/removebrokers.tsx","line":58,"snippet":"() => api.removebrokers.getEnhancedStats.query(),","matchedPattern":"query call","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/routes/(webapp)/settings.tsx","line":31,"snippet":"returnUrl: `${window.location.origin}/settings`,","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/spamshield.tsx","line":21,"snippet":"() => api.spamshield.getRules.query(),","matchedPattern":"query call","score":63,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/spamshield.tsx","line":33,"snippet":"const result = await api.spamshield.checkNumber.query({ phoneNumber: phoneNumber() });","matchedPattern":"query call","score":63,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/voiceprint.tsx","line":21,"snippet":"() => api.voiceprint.getEnrollments.query(),","matchedPattern":"query call","score":63,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/blog.tsx","line":22,"snippet":"const [allPostsResult] = createResource(() => api.blog.list.query({ limit: \"100\" }));","matchedPattern":"query call","score":63,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/blog.tsx","line":26,"snippet":"const [tagListResult] = createResource(() => api.blog.tags.query());","matchedPattern":"query call","score":63,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":50,"snippet":"const [dataResult] = createResource(() => api.blog.bySlug.query({ slug: params.slug }));","matchedPattern":"query call","score":63,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":103,"snippet":"{(p().authorName || \"K\").split(\" \").map((n: string) => n[0]).join(\"\")}","matchedPattern":"path join","score":63,"source":"builtin"}
-{"slug":"unsafe-html-or-template","description":"HTML injection sink or template escape bypass.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":121,"snippet":"<div class=\"prose-custom\" innerHTML={contentHtml()} />","matchedPattern":"dangerous html","score":63,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":127,"snippet":"{(p().authorName || \"K\").split(\" \").map((n: string) => n[0]).join(\"\")}","matchedPattern":"path join","score":63,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":142,"snippet":"onClick={() => window.open(`https://twitter.com/intent/tweet?text=${encodeURIComponent(p().title)}&url=${encodeURIComponent(window.location.href)}`, \"_blank\")}","matchedPattern":"python file open","score":63,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":150,"snippet":"onClick={() => window.open(`https://linkedin.com/sharing/share-offsite/?url=${encodeURIComponent(window.location.href)}`, \"_blank\")}","matchedPattern":"python file open","score":63,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":51,"snippet":"const [dataResult] = createResource(() => api.blog.bySlug.query({ slug: params.slug }));","matchedPattern":"query call","score":63,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":104,"snippet":"{(p().authorName || \"K\").split(\" \").map((n: string) => n[0]).join(\"\")}","matchedPattern":"path join","score":63,"source":"builtin"}
+{"slug":"unsafe-html-or-template","description":"HTML injection sink or template escape bypass.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":122,"snippet":"<div class=\"prose-custom\" innerHTML={sanitizeHtml(contentHtml())} />","matchedPattern":"dangerous html","score":63,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":128,"snippet":"{(p().authorName || \"K\").split(\" \").map((n: string) => n[0]).join(\"\")}","matchedPattern":"path join","score":63,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":143,"snippet":"onClick={() => window.open(`https://twitter.com/intent/tweet?text=${encodeURIComponent(p().title)}&url=${encodeURIComponent(window.location.href)}`, \"_blank\")}","matchedPattern":"python file open","score":63,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":151,"snippet":"onClick={() => window.open(`https://linkedin.com/sharing/share-offsite/?url=${encodeURIComponent(window.location.href)}`, \"_blank\")}","matchedPattern":"python file open","score":63,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/migrated-pages.test.tsx","line":96,"snippet":"Promise.resolve({","matchedPattern":"path join","score":63,"source":"builtin"}
 {"slug":"unsafe-html-or-template","description":"HTML injection sink or template escape bypass.","noise":"normal","filePath":"web/src/routes/migrated-pages.test.tsx","line":329,"snippet":"document.body.innerHTML = \"\";","matchedPattern":"dangerous html","score":63,"source":"builtin"}
 {"slug":"unsafe-html-or-template","description":"HTML injection sink or template escape bypass.","noise":"normal","filePath":"web/src/routes/migrated-pages.test.tsx","line":333,"snippet":"document.body.innerHTML = \"\";","matchedPattern":"dangerous html","score":63,"source":"builtin"}
@@ -276,6 +386,11 @@
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/utils.ts","line":21,"snippet":"const isAdmin = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":63,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/utils.ts","line":35,"snippet":"const isRateLimited = t.middleware(async ({ ctx, next, path }) => {","matchedPattern":"identity or internal control header","score":63,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/jobs/handlers/darkwatch.scan.test.ts","line":8,"snippet":"then: vi.fn().mockImplementation((fn: Function) => Promise.resolve(fn(result))),","matchedPattern":"path join","score":63,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/jobs/handlers/removebrokers.process.ts","line":167,"snippet":".join(\", \");","matchedPattern":"path join","score":63,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/billing.service.ts","line":304,"snippet":"`[billing:webhook] Failed to parse subscription data: ${result.issues?.map((i) => i.message).join(\", \")}`,","matchedPattern":"path join","score":63,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/billing.service.ts","line":315,"snippet":"`[billing:webhook] Failed to parse checkout session data: ${result.issues?.map((i) => i.message).join(\", \")}`,","matchedPattern":"path join","score":63,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/billing.service.ts","line":326,"snippet":"`[billing:webhook] Failed to parse invoice data: ${result.issues?.map((i) => i.message).join(\", \")}`,","matchedPattern":"path join","score":63,"source":"builtin"}
+{"slug":"weak-token-or-crypto","description":"Token, JWT, randomness, or crypto usage that deserves review.","noise":"normal","filePath":"web/src/server/services/removebrokers/proxy.ts","line":131,"snippet":"return Math.random().toString(36).substring(2, 15);","matchedPattern":"weak random","score":63,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"android/app/src/main/java/com/kordant/android/ui/components/ShieldCard.kt","line":50,"snippet":"header()","matchedPattern":"request header read","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"browser-ext/src/background/index.ts","line":51,"snippet":"const result = await client.spamshield.checkNumber.query({ phoneNumber });","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"browser-ext/src/background/index.ts","line":68,"snippet":"const result = await client.spamshield.classifySMS.query({ text });","matchedPattern":"query call","score":55,"source":"builtin"}
@@ -1332,17 +1447,23 @@
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"honker/tests/test_worker_task_options.py","line":125,"snippet":"rows = db.query(","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"honker/tests/test_worker_task_options.py","line":139,"snippet":"db = honker.open(db_path)","matchedPattern":"python file open","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"honker/tests/test_worker_task_options.py","line":144,"snippet":"row = db.query(\"SELECT run_at FROM _honker_live\")[0]","matchedPattern":"query call","score":55,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/AlertFeedWidget.tsx","line":67,"snippet":"api.correlation.getAlerts.query({ limit: 10 }),","matchedPattern":"query call","score":55,"source":"builtin"}
+{"slug":"weak-token-or-crypto","description":"Token, JWT, randomness, or crypto usage that deserves review.","noise":"normal","filePath":"ml/spam-classifier/train.py","line":118,"snippet":"if random.random() < 0.5:","matchedPattern":"weak random","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"ml/spam-classifier/train.py","line":352,"snippet":"with open(metadata_path, \"w\") as f:","matchedPattern":"python file open","score":55,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/AlertFeedWidget.tsx","line":95,"snippet":"api.correlation.getAlerts.query({ limit: 10 }),","matchedPattern":"query call","score":55,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/AlertFeedWidget.tsx","line":100,"snippet":"api.correlation.getGroups.query({ status: \"ACTIVE\", limit: 5 }),","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"unsafe-html-or-template","description":"HTML injection sink or template escape bypass.","noise":"normal","filePath":"web/src/components/dashboard/dashboard.test.tsx","line":81,"snippet":"document.body.innerHTML = \"\";","matchedPattern":"dangerous html","score":55,"source":"builtin"}
 {"slug":"unsafe-html-or-template","description":"HTML injection sink or template escape bypass.","noise":"normal","filePath":"web/src/components/dashboard/dashboard.test.tsx","line":86,"snippet":"document.body.innerHTML = \"\";","matchedPattern":"dangerous html","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/ExposureWidget.tsx","line":47,"snippet":"api.darkwatch.getExposures.query({ limit: 1 }),","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/HomeTitleWidget.tsx","line":37,"snippet":"api.hometitle.getProperties.query(),","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/HomeTitleWidget.tsx","line":41,"snippet":"api.hometitle.getAlerts.query(),","matchedPattern":"query call","score":55,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/RemoveBrokersWidget.tsx","line":20,"snippet":"api.removebrokers.getStats.query(),","matchedPattern":"query call","score":55,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/RemoveBrokersWidget.tsx","line":20,"snippet":"api.removebrokers.getEnhancedStats.query(),","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/RemoveBrokersWidget.tsx","line":24,"snippet":"api.removebrokers.getBrokerRegistry.query(),","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/SpamShieldWidget.tsx","line":21,"snippet":"api.spamshield.getStats.query({ period: \"week\" }),","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/SpamShieldWidget.tsx","line":25,"snippet":"api.spamshield.getRules.query(),","matchedPattern":"query call","score":55,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/ThreatScoreWidget.tsx","line":33,"snippet":"const [stats] = createResource(tick, () => api.correlation.getStats.query());","matchedPattern":"query call","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/components/dashboard/ThreatScoreWidget.tsx","line":47,"snippet":".join(\" \");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/ThreatScoreWidget.tsx","line":80,"snippet":"const [stats] = createResource(tick, () => api.correlation.getStats.query());","matchedPattern":"query call","score":55,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/ThreatScoreWidget.tsx","line":83,"snippet":"const [trendData] = createResource(() => api.correlation.getThreatScoreTrend.query());","matchedPattern":"query call","score":55,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/ThreatScoreWidget.tsx","line":86,"snippet":"const [recommendations] = createResource(() => api.correlation.getRecommendations.query());","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/components/dashboard/TopBar.tsx","line":20,"snippet":".join(\"\")","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/VoicePrintWidget.tsx","line":21,"snippet":"api.voiceprint.getEnrollments.query(),","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/VoicePrintWidget.tsx","line":25,"snippet":"api.voiceprint.getAnalyses.query({ limit: 10 }),","matchedPattern":"query call","score":55,"source":"builtin"}
@@ -1360,24 +1481,160 @@
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/hooks/useSubscription.ts","line":16,"snippet":"api.billing.getSubscription.query(),","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/lib/utils.ts","line":2,"snippet":"return classes.filter(Boolean).join(\" \");","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/health.ts","line":17,"snippet":"await client.execute({ sql: \"SELECT 1\" });","matchedPattern":"query call","score":55,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/jobs/scheduler.ts","line":43,"snippet":"return Object.values(CRON_OVERVIEW).join(\"\\n\");","matchedPattern":"path join","score":55,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/lib/env.ts","line":67,"snippet":"console.error(\"Missing required variables:\", missingKeys.join(\", \"));","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/jobs/scheduler.test.ts","line":15,"snippet":"then: vi.fn().mockImplementation((fn: Function) => Promise.resolve(fn(result))),","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/jobs/scheduler.ts","line":50,"snippet":"return Object.values(CRON_OVERVIEW).join(\"\\n\");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/lib/env.ts","line":69,"snippet":"console.error(\"Missing required variables:\", missingKeys.join(\", \"));","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/lib/logger.ts","line":22,"snippet":"\"req.headers.authorization\",","matchedPattern":"request header read","score":55,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/lib/logger.ts","line":23,"snippet":"\"req.headers.cookie\",","matchedPattern":"request header read","score":55,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/lib/logger.ts","line":24,"snippet":"\"req.headers.x-api-key\",","matchedPattern":"request header read","score":55,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/lib/request-logger.ts","line":1,"snippet":"import { type RequestMiddleware } from \"@solidjs/start/middleware\";","matchedPattern":"identity or internal control header","score":55,"source":"builtin"}
-{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":54,"snippet":"const res = await fetch(url, { headers, signal: AbortSignal.timeout(10_000) });","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":155,"snippet":"`https://api.shodan.io/shodan/host/search?key=${apiKey}&query=${encodeURIComponent(query)}&limit=10`,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
-{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/hometitle/scanner.ts","line":49,"snippet":"const res = await fetch(url);","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/correlation.service.ts","line":190,"snippet":"? (existingNarrative ? existingNarrative + \" \" : \"\") + scoreResult.narratives.join(\" \")","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/correlation/engine.ts","line":83,"snippet":"narrative = result.narratives.join(\" \");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/darkwatch/alert.cooldown.test.ts","line":8,"snippet":"then: vi.fn().mockImplementation((fn: Function) => Promise.resolve(fn(result))),","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":71,"snippet":"it(\"returns parsed host search results\", async () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":133,"snippet":"it(\"returns detailed host info\", async () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":233,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":238,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":246,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":251,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":258,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":263,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":270,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":275,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":280,"snippet":"it(\"returns no exposures for clean host\", () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":281,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":286,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.ts","line":250,"snippet":"const res = await fetch(url, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.ts","line":309,"snippet":"// viewHost — detailed host fingerprinting by IP","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.ts","line":313,"snippet":"const cacheKey = `host:${createHash(\"sha256\").update(ip.toLowerCase()).digest(\"hex\").slice(0, 16)}`;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.ts","line":322,"snippet":"const host: CensysHost = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.ts","line":335,"snippet":"set(cacheKey, host, { prefix: CACHE_PREFIX, ttl: HOST_CACHE_TTL }).catch(() => {});","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.ts","line":336,"snippet":"return host;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.ts","line":372,"snippet":"analyzeHostExposures(host: CensysHost): CensysExposure[] {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.ts","line":396,"snippet":"for (const service of host.services) {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.ts","line":403,"snippet":"ip: host.ip,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.ts","line":458,"snippet":"detail: `Certificate has known vulnerabilities: ${cert.vulnerabilities.join(\", \")}`,","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/darkwatch/digest.service.ts","line":269,"snippet":".join(\"\");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/darkwatch/digest.service.ts","line":283,"snippet":"${sections.join(\"\")}","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/darkwatch/digest.service.ts","line":307,"snippet":"return lines.join(\"\\n\");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/darkwatch/hibp.client.test.ts","line":243,"snippet":"Promise.resolve(","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/darkwatch/hibp.client.test.ts","line":263,"snippet":"Promise.resolve(","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/darkwatch/hibp.client.ts","line":177,"snippet":"res = await fetch(url, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/darkwatch/hibp.client.ts","line":254,"snippet":"res = await fetch(","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/darkwatch/hibp.client.ts","line":308,"snippet":"res = await fetch(`${this.baseUrl}/breaches`, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.test.ts","line":362,"snippet":"// Mock host search","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.test.ts","line":459,"snippet":"// Mock host lookup","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":321,"snippet":"// Censys scan — host search + certificate analysis","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":350,"snippet":"for (const host of hostResults.hosts) {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":351,"snippet":"// Analyze host for exposures","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":352,"snippet":"const exposures = censys.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":425,"snippet":"const host = await shodan.host(identifier);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":425,"snippet":"const host = await shodan.host(identifier);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":427,"snippet":"if (host) {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":428,"snippet":"const exposures = shodan.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":442,"snippet":"for (const host of searchResult.matches) {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":443,"snippet":"const exposures = shodan.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":445,"snippet":"results.push(processScanResult(\"shodan\", exp, host.ip_str ?? identifier));","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/darkwatch/securitytrails.client.ts","line":196,"snippet":"const res = await fetch(url, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":119,"snippet":"// host","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":122,"snippet":"describe(\"host\", () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":123,"snippet":"it(\"returns detailed host info\", async () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":157,"snippet":"const result = await client.host(\"93.184.216.34\");","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":168,"snippet":"const result = await client.host(\"1.2.3.4\");","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":200,"snippet":"expect.stringContaining(\"/host/count\"),","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":212,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":220,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":227,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":236,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":243,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":257,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":264,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":277,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":284,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":297,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":304,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":317,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":325,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":332,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":169,"snippet":"const res = await fetch(url, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":208,"snippet":"const url = `${this.baseUrl}/host/search?key=${this.apiKey}&query=${encodeURIComponent(query)}&page=${page}`;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":222,"snippet":"// host — detailed host information by IP","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":222,"snippet":"// host — detailed host information by IP","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":225,"snippet":"async host(ip: string): Promise<ShodanHost | null> {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":226,"snippet":"const cacheKey = `host:${createHash(\"sha256\").update(ip.toLowerCase()).digest(\"hex\").slice(0, 16)}`;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":230,"snippet":"const url = `${this.baseUrl}/host/${encodeURIComponent(ip)}?key=${this.apiKey}`;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":251,"snippet":"const url = `${this.baseUrl}/host/count?key=${this.apiKey}&query=${encodeURIComponent(query)}`;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":263,"snippet":"analyzeHostExposures(host: ShodanHost): ShodanExposure[] {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":267,"snippet":"if (host.tags?.includes(\"tor\")) {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":271,"snippet":"detail: `IP ${host.ip_str} is a known Tor exit node`,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":272,"snippet":"ip: host.ip_str,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":277,"snippet":"if (host.tags?.includes(\"iot\")) {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":281,"snippet":"detail: `IoT device exposed: ${host.ip_str}${host.os ? ` (${host.os})` : \"\"}`,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":281,"snippet":"detail: `IoT device exposed: ${host.ip_str}${host.os ? ` (${host.os})` : \"\"}`,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":281,"snippet":"detail: `IoT device exposed: ${host.ip_str}${host.os ? ` (${host.os})` : \"\"}`,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":282,"snippet":"ip: host.ip_str,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":287,"snippet":"const portData = host.data ?? [];","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":295,"snippet":"detail: `Database ${port.product ?? \"service\"} exposed on port ${port.port} (${host.ip_str})`,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":296,"snippet":"ip: host.ip_str,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":311,"snippet":"detail: `Admin panel exposed: \"${port.http.title}\" on port ${port.port} (${host.ip_str})`,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":344,"snippet":"detail: `Service on port ${port.port} has known vulnerabilities: ${port.vulns.join(\", \")}`,","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":381,"snippet":"detail: `Host ${host.ip_str} has vulnerabilities: ${newVulns.join(\", \")}`,","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/family.service.ts","line":1139,"snippet":"message: `This action requires one of these roles: ${allowedRoles.join(\", \")}`,","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/hometitle/attom.client.ts","line":228,"snippet":"const res = await fetch(url, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/hometitle/county-scrapers/rate-limiter.ts","line":16,"snippet":"* Resolves when it's safe to make the request (respects per-county interval).","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/hometitle/county-scrapers/rate-limiter.ts","line":42,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/hometitle/county-scrapers/rate-limiter.ts","line":47,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/hometitle/county-scrapers/rate-limiter.ts","line":63,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/hometitle/scanner.ts","line":320,"snippet":"const res = await fetch(url);","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/removebrokers/adapter-health.ts","line":188,"snippet":"`Broken: ${failingAdapters.filter((a) => a.status === \"broken\").map((a) => a.brokerName).join(\", \")}`;","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/removebrokers/adapters/base.ts","line":150,"snippet":"? Promise.resolve({ state: Notification.permission } as PermissionStatus)","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/removebrokers/adapters/base.ts","line":172,"snippet":"const baseDir = path.resolve(screenshotsDir);","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/removebrokers/adapters/base.ts","line":175,"snippet":"const fullPath = path.join(baseDir, filename);","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"weak-token-or-crypto","description":"Token, JWT, randomness, or crypto usage that deserves review.","noise":"normal","filePath":"web/src/server/services/removebrokers/adapters/base.ts","line":316,"snippet":"await el.type(value, { delay: 50 + Math.random() * 50 });","matchedPattern":"weak random","score":55,"source":"builtin"}
+{"slug":"weak-token-or-crypto","description":"Token, JWT, randomness, or crypto usage that deserves review.","noise":"normal","filePath":"web/src/server/services/removebrokers/adapters/base.ts","line":331,"snippet":"await new Promise((r) => setTimeout(r, 200 + Math.random() * 300));","matchedPattern":"weak random","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/removebrokers/adapters/beenverified.ts","line":51,"snippet":"await this.fillField('input[name=\"lastName\"], input[placeholder*=\"Last\"]', nameParts.slice(1).join(\" \"));","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/removebrokers/adapters/whitepages.ts","line":62,"snippet":"const lastName = this.config.personalInfo.fullName.split(\" \").slice(1).join(\" \");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/removebrokers/captcha-solver.ts","line":169,"snippet":"const submitResponse = await fetch(submitUrl, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/removebrokers/captcha-solver.ts","line":192,"snippet":"const resultResponse = await fetch(resultUrl, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/removebrokers/captcha-solver.ts","line":492,"snippet":"const response = await fetch(","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/removebrokers/email-verifier.ts","line":137,"snippet":"fetch(","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/removebrokers/email-verifier.ts","line":153,"snippet":"host: config.imapHost!,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/removebrokers/email-verifier.ts","line":169,"snippet":"for await (const msg of client.fetch(","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/removebrokers/email-verifier.ts","line":396,"snippet":"// Find the best matching request (by domain or name)","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":9,"snippet":"const TEMPLATES_DIR = join(__dirname, \"templates\");","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":10,"snippet":"const REPORTS_DIR = join(process.cwd(), \"reports\");","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":158,"snippet":".join(\"\\n\");","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":221,"snippet":"return items.join(\"\\n\");","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":231,"snippet":"return readFileSync(join(TEMPLATES_DIR, filename), \"utf-8\");","matchedPattern":"file read/write","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":231,"snippet":"return readFileSync(join(TEMPLATES_DIR, filename), \"utf-8\");","matchedPattern":"path join","score":55,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":268,"snippet":"const userDir = join(REPORTS_DIR, userId);","matchedPattern":"path join","score":55,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":272,"snippet":"const filePath = join(userDir, filename);","matchedPattern":"path join","score":55,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":273,"snippet":"writeFileSync(filePath, pdfBuffer);","matchedPattern":"file read/write","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":312,"snippet":"const userDir = join(REPORTS_DIR, userId);","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":316,"snippet":"const filePath = join(userDir, filename);","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":317,"snippet":"writeFileSync(filePath, pdfBuffer);","matchedPattern":"file read/write","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":138,"snippet":"const vocabPath = path.join(configPath, \"vocab.txt\");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":139,"snippet":"const tokenizerConfigPath = path.join(configPath, \"tokenizer_config.json\");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":144,"snippet":"const vocabText = fs.readFileSync(vocabPath, \"utf-8\");","matchedPattern":"file read/write","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":158,"snippet":"const configData = JSON.parse(fs.readFileSync(tokenizerConfigPath, \"utf-8\"));","matchedPattern":"file read/write","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":255,"snippet":"const DEFAULT_MODEL_DIR = path.join(__dirname, \"..\", \"..\", \"models\", \"spam-classifier\");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":269,"snippet":"const metadataPath = path.join(modelDir, \"model_metadata.json\");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":271,"snippet":"modelState.metadata = JSON.parse(fs.readFileSync(metadataPath, \"utf-8\"));","matchedPattern":"file read/write","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":280,"snippet":"const modelPath = path.join(modelDir, \"model.onnx\");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":283,"snippet":"const modelDataPath = path.join(modelDir, \"model.onnx.data\");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":291,"snippet":"console.log(`[spamshield] Inputs: ${modelState.session.inputNames.join(\", \")}`);","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":292,"snippet":"console.log(`[spamshield] Outputs: ${modelState.session.outputNames.join(\", \")}`);","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/spamshield/twilio.client.ts","line":246,"snippet":"const response = await fetch(url, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/twilio.client.ts","line":280,"snippet":"const url = `https://lookups.twilio.com/v1/PhoneNumbers/${encodeURIComponent(phoneNumber)}?Type=${types.join(\"&Type=\")}`;","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/spamshield/twilio.client.ts","line":282,"snippet":"const response = await fetch(url, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.test.ts","line":35,"snippet":"Promise.resolve({","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.test.ts","line":63,"snippet":"text: () => Promise.resolve('{\"error\": {\"code\": \"Unauthorized\"}}'),","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.test.ts","line":75,"snippet":"Promise.resolve({","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.test.ts","line":106,"snippet":"Promise.resolve({","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.test.ts","line":126,"snippet":"Promise.resolve({","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.test.ts","line":166,"snippet":"json: () => Promise.resolve(profiles),","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.test.ts","line":179,"snippet":"Promise.resolve({","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.test.ts","line":203,"snippet":"Promise.resolve({","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.test.ts","line":239,"snippet":"json: () => Promise.resolve([]),","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.ts","line":116,"snippet":"const response = await fetch(url, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.ts","line":206,"snippet":"return this.request<void>(\"DELETE\", `/profiles/${profileId}`);","matchedPattern":"sql keyword string","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/storage.test.ts","line":12,"snippet":"testDir = mkdtempSync(join(tmpdir(), \"vp-storage-test-\"));","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/storage.test.ts","line":52,"snippet":"const dir = join(testDir, \"uploads\", \"voiceprint\", userId);","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/storage.test.ts","line":67,"snippet":"const filePath = join(testDir, \"test.wav\");","matchedPattern":"path join","score":55,"source":"builtin"}
@@ -1387,10 +1644,43 @@
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/storage.ts","line":23,"snippet":"const filePath = join(userDir, `${hash}.wav`);","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/storage.ts","line":24,"snippet":"await writeFile(filePath, audioBuffer);","matchedPattern":"file read/write","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/storage.ts","line":41,"snippet":"const filePath = join(getUserDir(userId), `${audioHash}.wav`);","matchedPattern":"path join","score":55,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/websocket.ts","line":139,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/websocket.ts","line":145,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/websocket.ts","line":201,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/websocket.ts","line":213,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":23,"snippet":"origin: string;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":73,"snippet":"describe(\"WebSocket Origin validation\", () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":92,"snippet":"it(\"should accept connection from trusted localhost origin\", () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":95,"snippet":"origin: \"http://localhost:3000\",","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":101,"snippet":"it(\"should accept connection from trusted 127.0.0.1 origin\", () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":104,"snippet":"origin: \"http://127.0.0.1:3000\",","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":110,"snippet":"it(\"should reject connection from untrusted origin\", () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":113,"snippet":"origin: \"https://evil.com\",","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":119,"snippet":"it(\"should reject connection without origin header\", () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":122,"snippet":"origin: \"\",","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":123,"snippet":"req: { headers: { origin: \"\" } },","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":128,"snippet":"it(\"should reject connection with wildcard origin\", () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":132,"snippet":"origin: wildcardOrigin,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":141,"snippet":"origin: \"ws://localhost:3000\",","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":152,"snippet":"origin: \"http://localhost:3000\",","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":161,"snippet":"origin: \"not-a-valid-url://\",","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":18,"snippet":"// Validate APP_URL before trusting it as a WebSocket origin","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":34,"snippet":"for (const origin of explicit.split(\",\").map((o) => o.trim())) {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":35,"snippet":"if (origin) origins.push(origin);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":35,"snippet":"if (origin) origins.push(origin);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":43,"snippet":"* Validates the Origin header against the trusted origins allowlist.","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":47,"snippet":"origin: string | undefined,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":50,"snippet":"if (!origin || !origin.trim()) return false;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":50,"snippet":"if (!origin || !origin.trim()) return false;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":51,"snippet":"return trustedOrigins.includes(origin);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/websocket.ts","line":266,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":273,"snippet":"verifyClient: (info: { origin: string; req: IncomingMessage }) => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":274,"snippet":"const origin = info.req.headers.origin ?? info.origin;","matchedPattern":"request header read","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":274,"snippet":"const origin = info.req.headers.origin ?? info.origin;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":274,"snippet":"const origin = info.req.headers.origin ?? info.origin;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":274,"snippet":"const origin = info.req.headers.origin ?? info.origin;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":275,"snippet":"if (!isTrustedOrigin(origin, TRUSTED_ORIGINS)) {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":277,"snippet":"`[websocket] Rejected untrusted origin: ${origin ?? \"(none)\"}`,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":277,"snippet":"`[websocket] Rejected untrusted origin: ${origin ?? \"(none)\"}`,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/websocket.ts","line":286,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/websocket.ts","line":383,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/websocket.ts","line":395,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/test/__mocks__/drizzle-orm-libsql-migrator.js","line":2,"snippet":"return Promise.resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/test/__mocks__/drizzle-orm-libsql.js","line":5,"snippet":"where: () => ({ limit: () => Promise.resolve([]) }),","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/test/__mocks__/drizzle-orm-libsql.js","line":9,"snippet":"values: () => ({ returning: () => Promise.resolve([{ id: \"mock-id\" }]) }),","matchedPattern":"path join","score":55,"source":"builtin"}
@@ -1405,8 +1695,9 @@
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/vitest.config.ts","line":54,"snippet":"{ find: /^drizzle-orm\\/libsql$/, replacement: resolve(mocksDir, \"drizzle-orm-libsql.js\") },","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/vitest.config.ts","line":55,"snippet":"{ find: /^drizzle-orm\\/sqlite-core$/, replacement: resolve(mocksDir, \"drizzle-orm-sqlite-core.js\") },","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/vitest.config.ts","line":56,"snippet":"{ find: /^drizzle-orm$/, replacement: resolve(mocksDir, \"drizzle-orm.js\") },","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/vitest.node.config.ts","line":12,"snippet":"{ find: \"~\", replacement: resolve(__dirname, \"./src\") },","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"public-entrypoint","description":"Public route, handler, controller, workflow, or operation entry point.","noise":"noisy","filePath":"web/src/routes/api/stripe/session-status.ts","line":6,"snippet":"const sessionId = url.searchParams.get(\"session_id\");","matchedPattern":"http route","score":54,"source":"builtin"}
-{"slug":"public-entrypoint","description":"Public route, handler, controller, workflow, or operation entry point.","noise":"noisy","filePath":"web/src/routes/api/stripe/webhook.ts","line":7,"snippet":"const signature = event.request.headers.get(\"stripe-signature\");","matchedPattern":"http route","score":54,"source":"builtin"}
+{"slug":"public-entrypoint","description":"Public route, handler, controller, workflow, or operation entry point.","noise":"noisy","filePath":"web/src/routes/api/stripe/webhook.ts","line":25,"snippet":"const signature = event.request.headers.get(\"stripe-signature\");","matchedPattern":"http route","score":54,"source":"builtin"}
 {"slug":"public-entrypoint","description":"Public route, handler, controller, workflow, or operation entry point.","noise":"noisy","filePath":"web/src/server/api/trpc.ts","line":15,"snippet":"const cookieHeader = req.headers.get(\"cookie\") ?? \"\";","matchedPattern":"http route","score":38,"source":"builtin"}
 {"slug":"public-entrypoint","description":"Public route, handler, controller, workflow, or operation entry point.","noise":"noisy","filePath":"web/src/server/api/trpc.ts","line":52,"snippet":"const authHeader = req.headers.get(\"authorization\");","matchedPattern":"http route","score":38,"source":"builtin"}
 {"slug":"public-entrypoint","description":"Public route, handler, controller, workflow, or operation entry point.","noise":"noisy","filePath":"web/src/server/api/trpc.ts","line":65,"snippet":"apiKey = req.headers.get(\"x-api-key\") ?? null;","matchedPattern":"http route","score":38,"source":"builtin"}
--- a/piolium/attack-surface/lite-recon.md
+++ b/piolium/attack-surface/lite-recon.md
@@ -1,42 +1,42 @@
 # Lite Recon — Q0

-Generated by piolium at 2026-05-28T13:00:30.024Z
+Generated by piolium at 2026-06-01T14:22:02.616Z

 ## Target

 - Path: `/Users/mike/Code/Kordant`
 - Repository: (unknown)
- Total files (scanned): 1039
- Total bytes (scanned): 5.3 MB
+- Total files (scanned): 1232
+- Total bytes (scanned): 514.4 MB

 ## Git

- Commit: 26d9f8b050969dfaa2c9dfb714a872160b7db382
+- Commit: ba73daa66c6ff24f79e25dfba380cbfb50c463ac
 - Branch: master
 - History available: true

 Recent commits:

 ```
+ba73daa deep research addressement
+c159f07 shortcommings
+3b29de3 security sweep
+469c28f security audit fix start
 26d9f8b clear references
 1e1773c oof
 5214412 get to prod tasks
 04e8396 fix landing scroll
 3bcbdae fix stripe configuration
 7260975 clear old assets, new ci/cd flow
-8281500 mostly android
-9ee3d53 final
-aacb800 name refactor
-8ac2ce5 reduced nesting
 ```

 ## Languages

- TypeScript: 279 file(s)
+- TypeScript: 400 file(s)
 - Kotlin: 98 file(s)
- Swift: 76 file(s)
+- Swift: 83 file(s)
 - Java: 72 file(s)
- Python: 56 file(s)
+- Python: 57 file(s)
 - JavaScript: 25 file(s)
 - C#: 21 file(s)
 - Ruby: 19 file(s)
@@ -44,6 +44,7 @@ aacb800 name refactor
 - Go: 10 file(s)
 - Shell: 8 file(s)
 - C++: 4 file(s)
+- SQL: 2 file(s)

 ## Build / Project Manifests

--- a/piolium/audit-state.json
+++ b/piolium/audit-state.json
@@ -69,6 +69,52 @@
 			"commit": "26d9f8b050969dfaa2c9dfb714a872160b7db382",
 			"branch": "master",
 			"history_available": true
+		},
+		{
+			"audit_id": "2026-06-01T14:22:03.010Z",
+			"mode": "balanced",
+			"started_at": "2026-06-01T14:22:03.010Z",
+			"completed_at": null,
+			"status": "in_progress",
+			"phases": {
+				"L1": {
+					"status": "in_progress",
+					"attempt": 1,
+					"max_attempts": 6,
+					"started_at": "2026-06-01T14:22:03.040Z",
+					"heartbeat_at": "2026-06-01T14:22:03.041Z",
+					"last_event_at": "2026-06-01T14:22:03.041Z",
+					"run_id": "l1-2026-06-01T14-22-03-010Z-a1-2194b7c4"
+				},
+				"L2": {
+					"status": "pending"
+				},
+				"L3": {
+					"status": "pending"
+				},
+				"L4": {
+					"status": "pending"
+				},
+				"L5": {
+					"status": "pending"
+				},
+				"L6": {
+					"status": "pending"
+				},
+				"L6b": {
+					"status": "pending"
+				},
+				"L6c": {
+					"status": "pending"
+				},
+				"L7": {
+					"status": "pending"
+				}
+			},
+			"agent_sdk": "pi",
+			"commit": "ba73daa66c6ff24f79e25dfba380cbfb50c463ac",
+			"branch": "master",
+			"history_available": true
 		}
 	]
 }
--- a/piolium/tmp/piolium/runs/l1-2026-06-01T14-22-03-010Z-a1-2194b7c4/prompt.md
+++ b/piolium/tmp/piolium/runs/l1-2026-06-01T14-22-03-010Z-a1-2194b7c4/prompt.md
@@ -0,0 +1,403 @@
+# Run l1-2026-06-01T14-22-03-010Z-a1-2194b7c4
+Agent: advisory-hunter
+Source: /Users/mike/.pi/agent/npm/node_modules/@vigolium/piolium/agents/advisory-hunter.md
+
+## Task
+
+You are running Phase L1 (Intel) of /piolium-balanced.
+
+Goal: gather published security advisories (CVE/GHSA/OSV) and high-level dependency intelligence relevant to this repository.
+
+Required artifact: write `piolium/attack-surface/advisory-summary.md` with sections:
+  ## Repository Identity
+  ## Recent Advisories (last 24 months)
+  ## Dependency Intelligence
+  ## Architecture Hints
+  ## Coverage Gaps
+
+Skip Phase 2 (commit archaeology) — that's a deep-only phase.
+Stop after writing the file. Do not promote drafts or move to L2.
+
+## System prompt (header + agent body)
+
+# piolium Runtime
+
+- Target repository: /Users/mike/Code/Kordant
+- Audit directory: piolium/
+- Audit state: piolium/audit-state.json
+- Mode: balanced
+- Phase: L1
+- Keep findings on disk; do not keep important state only in conversation memory.
+- If blocked, write a short failure note to your assigned output path and exit cleanly.
+
+You are an expert security intelligence analyst performing Phase 1 of a comprehensive security audit. Your mission is to build a complete inventory of published security advisories, analyze historical vulnerability patterns, map architecture context, and gather dependency intelligence for the target repository.
+
+## Step 0: Resolve Repository Identity (RUN FIRST — sets variables used by every later step)
+
+The audit may be running on a plain source folder with no `.git` directory. Resolve the repository identity using the cascade below; **never assume git is available**.
+
+```bash
+# 1. Honour the CLI-exported value first (cli/cmd/run.go pre-computes this)
+OWNER_REPO="${PIOLIUM_REPOSITORY:-}"
+
+# 2. Fall back to git remote if available
+if [ -z "$OWNER_REPO" ] && [ "${PIOLIUM_GIT_AVAILABLE:-true}" = "true" ]; then
+  OWNER_REPO=$(git remote get-url origin 2>/dev/null \
+    | sed -E 's|.*github\.com[:/]||;s|\.git$||;s|/$||')
+fi
+
+# 3. Fall back to package manifests (works on plain source folders)
+if [ -z "$OWNER_REPO" ]; then
+  for manifest_try in \
+    "jq -r '.repository.url // .repository // empty' package.json 2>/dev/null" \
+    "grep -E '^module ' go.mod 2>/dev/null | awk '{print \$2}'" \
+    "grep -E '^repository' Cargo.toml 2>/dev/null | head -1 | sed -E 's/.*\"(.*)\".*/\\1/'" \
+    "jq -r '.support.source // .homepage // empty' composer.json 2>/dev/null" \
+    "grep -E -A1 '\\[project.urls\\]' pyproject.toml 2>/dev/null | grep -iE 'repository|source|homepage' | head -1 | sed -E 's/.*= *\"(.*)\"/\\1/'" \
+    "grep -E '^url *=' setup.cfg 2>/dev/null | head -1 | sed -E 's/.*= *//'" \
+    "grep -oE 'url=[\"\\x27][^\"\\x27]+' setup.py 2>/dev/null | head -1 | sed -E 's/url=[\"\\x27]//'" \
+    "grep -oE '<url>[^<]+</url>' pom.xml 2>/dev/null | head -1 | sed -E 's|</?url>||g'" \
+    "grep -E '\\.homepage *=' *.gemspec 2>/dev/null | head -1 | sed -E 's/.*= *[\"\\x27]([^\"\\x27]+).*/\\1/'"
+  do
+    URL=$(eval "$manifest_try")
+    [ -n "$URL" ] || continue
+    # Normalize https://github.com/owner/repo[.git] → owner/repo
+    OWNER_REPO=$(echo "$URL" | sed -E 's|.*github\.com[:/]||;s|\.git$||;s|/$||')
+    if echo "$OWNER_REPO" | grep -qE '^[A-Za-z0-9._-]+/[A-Za-z0-9._-]+$'; then break; fi
+    OWNER_REPO=""
+  done
+fi
+
+# 4. Last resort — basename of working directory (no GitHub queries possible)
+if [ -z "$OWNER_REPO" ]; then
+  OWNER_REPO="$(basename "$(pwd)")"
+fi
+
+OWNER=$(echo "$OWNER_REPO" | cut -d/ -f1)
+REPO=$(echo "$OWNER_REPO" | cut -s -d/ -f2)
+export OWNER OWNER_REPO REPO
+```
+
+**Capabilities table** (decide which sources to run based on what you resolved):
+
+| Condition | Source 1 git log | Source 2 GitHub gh api | Section 5 patch-commit diff |
+|-----------|------------------|------------------------|------------------------------|
+| `PIOLIUM_GIT_AVAILABLE=true` AND `OWNER_REPO` is `owner/repo` | run | run | run locally via `git log/diff` |
+| `PIOLIUM_GIT_AVAILABLE=false` AND `OWNER_REPO` is `owner/repo` | **skip** | run | run via `gh api repos/$OWNER/$REPO/compare/v1...v2` |
+| `OWNER_REPO` could not be resolved to `owner/repo` (basename only) | **skip** | **skip** (record as coverage gap in output) | **skip** |
+
+Record what you resolved, where, and which capabilities are available in the output's `Historical coverage metadata` section.
+
+## Core Responsibilities
+
+### 1. Advisory Collection — Adaptive Strategy
+
+**Do NOT use fixed caps or "most recent first" ordering as the primary filter.** The goal is pattern coverage across time, not just the latest CVEs. Follow this 3-tier adaptive strategy:
+
+#### Tier 1: Recent (last 2 years)
+
+Collect ALL advisories from the last 2 years regardless of severity. No cap during collection — apply ranking only at output time.
+
+After Tier 1 completes, count: **RECENT_COUNT = total unique advisories collected**.
+
+#### Tier 2: Adaptive expansion
+
+- If `RECENT_COUNT < 15`: expand to **last 5 years** and re-query all sources
+- If still `< 15`: expand to **ALL time** (remove date filters entirely)
+- If `RECENT_COUNT >= 15`: proceed to Tier 3 without expansion, but note the time range covered
+
+The threshold of 15 is a minimum for meaningful pattern analysis. Below it, the audit lacks sufficient signal.
+
+#### Tier 3: Severity coverage check
+
+After collection (regardless of Tier reached), check: are MEDIUM and LOW severity advisories represented?
+
+- If only HIGH/CRITICAL were found: run a supplementary pass explicitly targeting MEDIUM/LOW
+- Reason: low-severity advisories often reveal attack surface, input vectors, and component weaknesses even when exploitation impact was limited
+
+Work through all sources below in priority order. Collect, deduplicate by CVE/GHSA ID (keep richest metadata), then rank by (severity DESC, publishedAt DESC).
+
+For each advisory record: ID, severity, CVSS score, affected versions, patch commit(s)/version, source, CWE IDs, affected component (inferred from description if not explicit), one-line description.
+
+---
+
+#### Source 1 — Project-hosted sources (local repo — highest priority, no network required)
+
+Grep the repo for first-party security signals before touching any external API:
+
+<!-- codex-trim-start -->
+```bash
+# CVE/GHSA IDs in any file
+grep -rE "(CVE-[0-9]{4}-[0-9]+|GHSA-[a-z0-9-]+)" . --include="*.md" --include="*.txt" --include="*.rst" -l
+
+# Security-relevant keywords in CHANGELOG / release notes
+grep -rniE "(security|vulnerability|advisory|patch|fix.*cve|cve.*fix)" CHANGELOG* CHANGELOG.md CHANGES* HISTORY* RELEASES* SECURITY* 2>/dev/null | head -200
+
+# Commit messages mentioning CVEs (skip when no local git history)
+if [ "${PIOLIUM_GIT_AVAILABLE:-true}" = "true" ]; then
+  git log --oneline --all | grep -iE "(CVE|GHSA|security fix|vulnerability)" | head -100
+fi
+```
+<!-- codex-trim-end -->
+
+Search for CVE/GHSA IDs in .md/.txt/.rst files, security keywords in changelogs, and CVE-related commit messages.
+
+#### Source 2 — GitHub Security Advisories (`gh api` — NOT WebSearch)
+
+**CRITICAL: Always use `gh api` for GitHub lookups. Never use WebSearch for this source.**
+
+First determine the repo's ecosystem and primary package name from manifests (package.json, go.mod, Cargo.toml, requirements.txt, pom.xml, etc.).
+
+<!-- codex-trim-start -->
+```bash
+# OWNER and REPO were resolved in Step 0 (from PIOLIUM_REPOSITORY, git remote, or package
+# manifests). Skip Source 2 entirely if Step 0 fell through to basename-only resolution.
+if [ -z "$OWNER" ] || [ -z "$REPO" ]; then
+  echo "Source 2 (GitHub Security Advisories) skipped: could not resolve owner/repo from CLI env, git remote, or package manifests. Record this as a coverage gap in output."
+  # Continue to Source 3 (OSV) and Source 4 (NVD), which work from package name + ecosystem.
+else
+
+# Tier 1: advisories from last 2 years (all severities)
+# Compute cutoff date: 2 years before today
+CUTOFF=$(date -v-2y +%Y-%m-%dT00:00:00Z 2>/dev/null || date -d '2 years ago' +%Y-%m-%dT00:00:00Z)
+
+gh api graphql --paginate -f query='
+query($cursor: String) {
+  securityAdvisories(first: 100, after: $cursor, orderBy: {field: PUBLISHED_AT, direction: DESC}) {
+    pageInfo { hasNextPage endCursor }
+    nodes {
+      ghsaId publishedAt severity
+      summary
+      cvss { score vectorString }
+      cwes(first: 5) { nodes { cweId name } }
+      identifiers { type value }
+      vulnerabilities(first: 20) {
+        nodes {
+          package { name ecosystem }
+          vulnerableVersionRange
+          firstPatchedVersion { identifier }
+        }
+      }
+    }
+  }
+}' 2>/dev/null | jq --arg cutoff "$CUTOFF" \
+  '[.data.securityAdvisories.nodes[] | select(.publishedAt >= $cutoff)] | sort_by(.publishedAt) | reverse'
+
+# Repo-specific advisories (if the repo itself publishes advisories)
+gh api "repos/$OWNER/$REPO/security-advisories" --paginate 2>/dev/null | jq 'sort_by(.published_at) | reverse'
+
+fi  # end Source 2 owner/repo gate
+```
+<!-- codex-trim-end -->
+
+Use `gh api graphql --paginate` with the `securityAdvisories` query to fetch advisories. Filter to matching package names. For Tier 2 expansion, remove the date cutoff filter. Also query `repos/{owner}/{repo}/security-advisories` for repo-specific advisories.
+
+<!-- codex-trim-start -->
+**If Tier 2 expansion triggered**: rerun without the `$cutoff` filter to fetch all-time:
+```bash
+gh api graphql --paginate -f query='
+query($cursor: String) {
+  securityAdvisories(first: 100, after: $cursor, orderBy: {field: PUBLISHED_AT, direction: DESC}) {
+    pageInfo { hasNextPage endCursor }
+    nodes {
+      ghsaId publishedAt severity summary
+      cvss { score vectorString }
+      cwes(first: 5) { nodes { cweId name } }
+      identifiers { type value }
+      vulnerabilities(first: 20) {
+        nodes { package { name ecosystem } vulnerableVersionRange firstPatchedVersion { identifier } }
+      }
+    }
+  }
+}' 2>/dev/null | jq '[.data.securityAdvisories.nodes[]] | sort_by(.publishedAt) | reverse'
+```
+<!-- codex-trim-end -->
+
+#### Source 3 — OSV API (`curl`/web fetch — NOT WebSearch)
+
+<!-- codex-trim-start -->
+```bash
+# Single package query — replace ECOSYSTEM and PACKAGE with actual values
+# Ecosystems: npm, PyPI, Go, Maven, NuGet, RubyGems, crates.io, Packagist, Hex
+curl -s -X POST https://api.osv.dev/v1/query \
+  -H "Content-Type: application/json" \
+  -d '{"package": {"name": "<PACKAGE>", "ecosystem": "<ECOSYSTEM>"}}' \
+  | jq '.vulns | sort_by(.published) | reverse | .[] | {id, published, modified, summary, severity: (.severity // .database_specific.severity), aliases}'
+
+# Batch query for multiple packages at once
+curl -s -X POST https://api.osv.dev/v1/querybatch \
+  -H "Content-Type: application/json" \
+  -d '{"queries": [{"package": {"name": "<PKG1>", "ecosystem": "<ECO1>"}}, {"package": {"name": "<PKG2>", "ecosystem": "<ECO2>"}}]}' \
+  | jq '.results[].vulns | sort_by(.published) | reverse'
+```
+<!-- codex-trim-end -->
+
+Query `https://api.osv.dev/v1/query` (single) or `/v1/querybatch` (multiple) with package name and ecosystem. Paginate using `page_token` until exhausted. No cap — collect all.
+
+#### Source 4 — NVD REST API (web fetch — NOT WebSearch)
+
+Fetch via web fetch. For Tier 1 (recent): include `&pubStartDate=<2-years-ago>`. For Tier 2 expansion: remove date filter.
+
+<!-- codex-trim-start -->
+```
+https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=<project-name>&resultsPerPage=100&startIndex=0
+https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=<project-name>&cvssV3Severity=CRITICAL&resultsPerPage=100
+https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=<project-name>&cvssV3Severity=HIGH&resultsPerPage=100
+https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=<project-name>&cvssV3Severity=MEDIUM&resultsPerPage=100
+```
+<!-- codex-trim-end -->
+
+Query NVD REST API v2.0 at `services.nvd.nist.gov/rest/json/cves/2.0` with `keywordSearch=<project-name>`. Parse `vulnerabilities[].cve` — extract `id`, `published`, `lastModified`, `cvssMetricV31[].cvssData.baseSeverity`, `weaknesses[].description[].value` (CWE), `descriptions[0].value`.
+Paginate with `startIndex` increments of 100 until `startIndex >= totalResults`.
+
+#### Source 5 — WebSearch (supplementary only)
+
+Use web search **only after** Sources 1–4 are exhausted. Search for advisories not yet indexed in structured APIs — blog post disclosures, mailing list announcements, vendor bulletins:
+
+- `"<project-name>" CVE vulnerability security advisory`
+- `"<project-name>" site:github.com/advisories`
+- `"<project-name>" security disclosure`
+- `"<project-name>" security bug history` (for older vulnerability writeups)
+
+#### Deduplication and ranking
+
+After collecting from all sources, deduplicate by CVE ID or GHSA ID (keep richest metadata). Final ranked list: CRITICAL first, then HIGH, then MEDIUM, then LOW, then by publishedAt DESC within each tier.
+
+---
+
+### 2. Vulnerability Pattern Analysis
+
+**Run after deduplication, before writing output.** Synthesize the collected advisories into pattern intelligence. This section is as important as the raw advisory list — it tells Phase 3 and Phase 5 WHERE to focus.
+
+#### 2a. Component Vulnerability Heatmap
+
+Group advisories by affected component or module. Infer component from:
+- Advisory description (e.g., "vulnerability in the HTTP request parser", "auth module")
+- Affected files in patch commits (from Source 1 git log)
+- Package sub-module if specified
+
+Produce a ranked list: component → count of advisories → severity distribution → dominant bug types.
+
+**High-heat components** (3+ advisories, or any CRITICAL) = highest-priority targets for Phase 3 DFD slices and Phase 5 deep probe.
+
+#### 2b. Bug Type Recurrence
+
+Map each advisory to a bug class. Use CWE IDs where available; infer from description otherwise.
+
+<!-- codex-trim-start -->
+| Bug Class | CWEs | Count | Examples |
+|-----------|------|-------|---------|
+| Injection (SQL/cmd/LDAP) | CWE-89, CWE-77, CWE-78 | N | ... |
+| Auth bypass / broken auth | CWE-287, CWE-306, CWE-862 | N | ... |
+| Deserialization | CWE-502 | N | ... |
+| Path traversal | CWE-22 | N | ... |
+| SSRF | CWE-918 | N | ... |
+| XSS | CWE-79 | N | ... |
+| DoS / resource exhaustion | CWE-400, CWE-770 | N | ... |
+| Cryptographic weakness | CWE-326, CWE-327, CWE-330 | N | ... |
+| Race condition / TOCTOU | CWE-362 | N | ... |
+| Info disclosure | CWE-200, CWE-209 | N | ... |
+| Other | — | N | ... |
+<!-- codex-trim-end -->
+
+**Recurring bug types** (2+ advisories in same class) = bug classes to actively hunt in Phase 10 review chambers.
+
+#### 2c. Attack Surface Trends
+
+Identify which input vectors are repeatedly exploited (network, file, deserialized, CLI, env vars, third-party data, IPC/plugins). Repeatedly exploited vectors → Phase 5 deep probe teams should prioritize these entry points.
+
+#### 2d. Patch Quality Signals
+
+Identify components patched multiple times for the **same bug class** — this signals structurally incomplete fixes. These become high-priority Phase 2 (patch-bypass-checker) targets with `type: structural-recurrence`.
+
+---
+
+### 3. Architecture Inventory
+
+Map the system's components and security-relevant topology:
+
+- **Components**: processes, services, plugins, workers, control planes, external dependencies
+- **Transports**: HTTP, gRPC, WebSocket, queues, files, CLI, IPC, schedulers, plugins, agent/tool invocation, custom RPC layers
+- **Trust boundaries**: internet-facing, internal-only, desktop-local, CI/CD, control-plane vs data-plane, tenant vs admin
+- **Execution environments**: runtimes, sandboxes, containers, serverless
+
+Cross-reference with Vulnerability Pattern Analysis 2a: do the high-heat components map to specific architecture layers? If so, note this for Phase 3 DFD prioritization.
+
+Identify the highest-risk flows that deserve Phase 3 DFD/CFD slices.
+
+### 4. Dependency Intelligence
+
+- Inspect manifests, lockfiles, build files, container files, and deployment config
+- Note outdated, unsupported, or historically bug-prone dependencies influencing parsing, auth, serialization, policy enforcement, code execution, or network handling
+- Cross-reference dependency names against bug type recurrence (2b): if a dep handles deserialization and CWE-502 appears in history, flag it
+- Delegate to the `supply-chain-risk-auditor` skill for comprehensive dependency analysis
+- Treat dependency findings as exploit hypotheses until a reachable abuse path is established
+
+### 5. Patch Commit Discovery
+
+When only a patched version is known (no direct commit reference). Pick the branch that matches the resolved capabilities (Step 0 table):
+
+<!-- codex-trim-start -->
+```bash
+if [ "${PIOLIUM_GIT_AVAILABLE:-true}" = "true" ]; then
+  # Local git available — diff between version tags
+  git log --oneline v<vulnerable>..v<patched>
+  git log --oneline v<vulnerable>..v<patched> -- src/payments/ src/auth/ src/validation/
+  git diff v<vulnerable>..v<patched> -- <relevant-paths>
+elif [ -n "$OWNER" ] && [ -n "$REPO" ]; then
+  # No local git, but we resolved owner/repo — fetch the compare from GitHub
+  gh api "repos/$OWNER/$REPO/compare/v<vulnerable>...v<patched>" 2>/dev/null \
+    | jq '{base_commit: .base_commit.sha, total_commits: .total_commits,
+            files: [.files[] | {filename, status, additions, deletions, patch}],
+            commits: [.commits[] | {sha: .sha, message: .commit.message}]}'
+else
+  echo "Patch-commit discovery skipped: no local git history and owner/repo could not be resolved. Record as coverage gap."
+fi
+```
+<!-- codex-trim-end -->
+
+Use `git log` and `git diff` between vulnerable and patched version tags when local history exists; otherwise use `gh api repos/{owner}/{repo}/compare/v1...v2` which returns the same commit list and per-file patch hunks. For **structural-recurrence** components identified in 2d: diff ALL patch commits across versions for that component to find the unpatched root cause. Skip the section entirely when neither local git nor a resolved owner/repo is available, and record the gap in the output.
+
+---
+
+## Output
+
+Write the `## Advisory Intelligence` section of `piolium/attack-surface/knowledge-base-report.md` with:
+
+### Advisory Inventory
+
+Table of all advisories with ID, severity, CVSS, affected versions, patch commits, CWE IDs, inferred component.
+
+**Historical coverage metadata**:
+- Tier reached: 1 (2yr) / 2 (5yr) / 2 (all-time)
+- Total advisories collected: N (recent 2yr: X, older: Y)
+- Severity distribution: CRITICAL: N, HIGH: N, MEDIUM: N, LOW: N
+- Repository identity: `<OWNER_REPO value>` (resolved via `<source: PIOLIUM_REPOSITORY env / git remote / package manifest <which> / basename fallback>`)
+- Git history available: `true` / `false` (sourced from `PIOLIUM_GIT_AVAILABLE`)
+- Coverage gaps recorded: list any source skipped because git was absent or owner/repo was unresolvable (Source 1 git log, Source 2 GitHub Security Advisories, Section 5 patch-commit discovery)
+
+### Vulnerability Pattern Analysis
+
+Output from steps 2a–2d: Component Vulnerability Heatmap, Bug Type Recurrence, Attack Surface Trends, Patch Quality Signals.
+
+<!-- codex-trim-start -->
+- **Component Vulnerability Heatmap**: ranked table, flag high-heat components
+- **Bug Type Recurrence**: table with counts, recurring classes flagged
+- **Attack Surface Trends**: exploited input vectors ranked by frequency
+- **Patch Quality Signals**: structural-recurrence components with version history
+
+**Audit targeting recommendations** (the synthesis):
+> Based on pattern analysis: Phase 3 should prioritize [component X, component Y] for DFD slices. Phase 5 deep probe should target [input vector A, B] entry points. Phase 10 chambers should include [bug class X, Y] as mandatory attack modes. Patch-bypass-checker should flag [component Z] as structural-recurrence candidate.
+<!-- codex-trim-end -->
+
+Include audit targeting recommendations synthesizing which components, input vectors, and bug classes to prioritize in later phases.
+
+### Architecture Inventory
+
+Components, transports, trust boundaries, execution environments, highest-risk flows.
+
+### Dependency Intelligence
+
+Security-relevant dependencies with runtime context notes and pattern cross-references.
+
+If `piolium/attack-surface/knowledge-base-report.md` does not yet exist, create it and add the section header. If it already exists, append or update the `## Advisory Intelligence` section in-place.
--- a/piolium/tmp/piolium/runs/l1-2026-06-01T14-22-03-010Z-a1-2194b7c4/transcript.jsonl
+++ b/piolium/tmp/piolium/runs/l1-2026-06-01T14-22-03-010Z-a1-2194b7c4/transcript.jsonl
@@ -0,0 +1,4 @@
+{"type":"agent_start"}
+{"type":"turn_start"}
+{"type":"message_start","message":{"role":"user","content":[{"type":"text","text":"You are running Phase L1 (Intel) of /piolium-balanced.\n\nGoal: gather published security advisories (CVE/GHSA/OSV) and high-level dependency intelligence relevant to this repository.\n\nRequired artifact: write `piolium/attack-surface/advisory-summary.md` with sections:\n  ## Repository Identity\n  ## Recent Advisories (last 24 months)\n  ## Dependency Intelligence\n  ## Architecture Hints\n  ## Coverage Gaps\n\nSkip Phase 2 (commit archaeology) — that's a deep-only phase.\nStop after writing the file. Do not promote drafts or move to L2."}],"timestamp":1780323723072}}
+{"type":"message_end","message":{"role":"user","content":[{"type":"text","text":"You are running Phase L1 (Intel) of /piolium-balanced.\n\nGoal: gather published security advisories (CVE/GHSA/OSV) and high-level dependency intelligence relevant to this repository.\n\nRequired artifact: write `piolium/attack-surface/advisory-summary.md` with sections:\n  ## Repository Identity\n  ## Recent Advisories (last 24 months)\n  ## Dependency Intelligence\n  ## Architecture Hints\n  ## Coverage Gaps\n\nSkip Phase 2 (commit archaeology) — that's a deep-only phase.\nStop after writing the file. Do not promote drafts or move to L2."}],"timestamp":1780323723072}}