android flesh out

2026-06-01 12:58:34 -04:00
parent ba73daa66c
commit 542172d1e8
183 changed files with 26946 additions and 761 deletions
--- a/piolium/attack-surface/candidates-summary.md
+++ b/piolium/attack-surface/candidates-summary.md
@@ -1,27 +1,27 @@
 # Candidate Scan

-Generated by piolium at 2026-05-28T13:00:30.318Z
+Generated by piolium at 2026-06-01T14:22:03.009Z

 ## Totals

- Files scanned: 730
- Candidate files: 218
- Candidate matches: 1412
+- Files scanned: 880
+- Candidate files: 259
+- Candidate matches: 1703
 - Per-file records: disabled (set PIOLIUM_FILE_RECORDS=1 to enable)

 ## Candidate Classes

- secret-literal: 9 match(es), max score 122. Hardcoded secret-like literal.
- command-execution: 55 match(es), max score 90. Potential command execution or shell invocation with variable input.
- dynamic-code-execution: 12 match(es), max score 90. Dynamic code execution, expression evaluation, or runtime compilation.
- raw-sql-query: 611 match(es), max score 87. Raw SQL construction or query execution that may need parameterization review.
- hidden-control-channel: 42 match(es), max score 87. Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.
+- secret-literal: 14 match(es), max score 122. Hardcoded secret-like literal.
+- command-execution: 65 match(es), max score 90. Potential command execution or shell invocation with variable input.
+- dynamic-code-execution: 27 match(es), max score 90. Dynamic code execution, expression evaluation, or runtime compilation.
+- raw-sql-query: 644 match(es), max score 87. Raw SQL construction or query execution that may need parameterization review.
+- hidden-control-channel: 165 match(es), max score 87. Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.
 - open-redirect: 2 match(es), max score 81. Redirect sink that may accept user-controlled URLs.
- path-traversal-file-access: 638 match(es), max score 79. Filesystem access using path joins or user-controllable paths.
- webhook-without-obvious-signature: 6 match(es), max score 79. Webhook handler path that should be checked for signature verification.
+- path-traversal-file-access: 688 match(es), max score 79. Filesystem access using path joins or user-controllable paths.
+- webhook-without-obvious-signature: 41 match(es), max score 79. Webhook handler path that should be checked for signature verification.
+- ssrf-capable-request: 26 match(es), max score 71. Outbound HTTP request site that may be attacker-controlled.
 - unsafe-html-or-template: 17 match(es), max score 71. HTML injection sink or template escape bypass.
- ssrf-capable-request: 10 match(es), max score 71. Outbound HTTP request site that may be attacker-controlled.
- weak-token-or-crypto: 5 match(es), max score 63. Token, JWT, randomness, or crypto usage that deserves review.
+- weak-token-or-crypto: 9 match(es), max score 63. Token, JWT, randomness, or crypto usage that deserves review.
 - public-entrypoint: 5 match(es), max score 54. Public route, handler, controller, workflow, or operation entry point.

 ## Top Files
@@ -35,47 +35,49 @@ Generated by piolium at 2026-05-28T13:00:30.318Z
 - `honker/tests/test_real_e2e_scenarios.py`: score 1810, 32 match(es)
 - `honker/tests/test_extension_interop.py`: score 1760, 32 match(es)
 - `honker/tests/test_stream.py`: score 1650, 30 match(es)
+- `web/src/server/services/hometitle/county-scrapers/unified-parser.ts`: score 1530, 18 match(es)
 - `honker/tests/test_tasks.py`: score 1485, 27 match(es)
+- `web/src/routes/api/stripe/webhook.test.ts`: score 1422, 18 match(es)
 - `honker/tests/test_task_results.py`: score 1375, 25 match(es)
 - `honker/tests/test_outbox.py`: score 1320, 24 match(es)
 - `honker/packages/honker/python/honker/_honker.py`: score 1265, 23 match(es)
+- `web/src/server/services/darkwatch/shodan.client.ts`: score 1265, 23 match(es)
+- `web/src/routes/api/stripe/webhook.ts`: score 1239, 16 match(es)
+- `web/src/middleware.ts`: score 1197, 19 match(es)
+- `web/src/server/services/darkwatch/shodan.client.test.ts`: score 1190, 21 match(es)
 - `honker/packages/honker-node/test/basic.js`: score 1155, 21 match(es)
+- `web/src/server/websocket.ts`: score 1155, 21 match(es)
 - `honker/packages/honker-bun/test/watcher_backends_queue_e2e.test.ts`: score 1150, 20 match(es)
 - `honker/packages/honker-node/api.js`: score 1134, 18 match(es)
 - `honker/packages/honker-bun/test/parity.test.ts`: score 1115, 17 match(es)
+- `web/src/server/api/routers/removebrokers.ts`: score 1106, 14 match(es)
 - `honker/tests/test_multiprocess.py`: score 1065, 18 match(es)
 - `honker/packages/honker-bun/test/python_interop.test.ts`: score 930, 16 match(es)
 - `honker/bench/real_bench.py`: score 925, 15 match(es)
 - `honker/packages/honker-node/test/watcher_backends_e2e.js`: score 905, 16 match(es)
 - `honker/tests/test_crash_recovery.py`: score 905, 16 match(es)
 - `honker/packages/honker-bun/test/basic.test.ts`: score 880, 16 match(es)
+- `web/src/server/websocket.test.ts`: score 880, 16 match(es)
 - `honker/packages/honker-node/examples/atomic.js`: score 825, 15 match(es)
+- `web/src/server/api/routers/correlation.test.ts`: score 790, 10 match(es)
 - `honker/bench/ext_bench.py`: score 770, 14 match(es)
 - `honker/packages/honker-jvm/src/main/java/dev/honker/Database.java`: score 770, 14 match(es)
 - `honker/packages/honker-ruby/spec/parity_spec.rb`: score 770, 14 match(es)
 - `honker/tests/test_phase_mantle.py`: score 770, 14 match(es)
 - `honker/tests/test_task_expiration.py`: score 715, 13 match(es)
 - `honker/tests/test_task_locking.py`: score 715, 13 match(es)
- `honker/tests/test_worker_task_options.py`: score 715, 13 match(es)
- `honker/packages/honker-node/test/watcher_backends_queue_e2e.js`: score 710, 12 match(es)
- `honker/packages/honker-jvm/src/main/java/dev/honker/Queue.java`: score 660, 12 match(es)
- `honker/packages/honker-node/test/cross_lang_python_to_node.js`: score 660, 12 match(es)
- `honker/packages/honker-ruby/lib/honker.rb`: score 660, 12 match(es)
- `honker/packages/honker-ruby/spec/honker_spec.rb`: score 655, 11 match(es)
- `honker/tests/test_time_triggers_e2e.py`: score 630, 11 match(es)
- `web/src/middleware.ts`: score 630, 10 match(es)
- `web/src/routes/api/stripe/webhook.ts`: score 607, 8 match(es)
- `honker/packages/honker/python/honker/_scheduler.py`: score 605, 11 match(es)

 ## Highest-Ranked Matches

- secret-literal (precise, score 122) at `web/src/server/api/routers/billing.test.ts:164` - clientSecret: "cs_123_secret",
+- secret-literal (precise, score 122) at `web/src/server/api/routers/billing.test.ts:220` - clientSecret: "cs_123_secret",
 - secret-literal (precise, score 106) at `web/src/routes/(auth)/login.tsx:30` - if (!password()) errs.password = "Password is required";
 - secret-literal (precise, score 106) at `web/src/routes/(auth)/reset-password.tsx:27` - if (!password()) errs.password = "Password is required";
 - secret-literal (precise, score 106) at `web/src/routes/(auth)/reset-password.tsx:29` - errs.password = "Password must be at least 8 characters";
 - secret-literal (precise, score 106) at `web/src/routes/(auth)/signup.tsx:66` - if (!password()) errs.password = "Password is required";
 - secret-literal (precise, score 106) at `web/src/routes/(auth)/signup.tsx:68` - errs.password = "Password must be at least 8 characters";
- secret-literal (precise, score 98) at `web/src/server/services/billing.service.test.ts:116` - client_secret: "cs_123_secret",
+- secret-literal (precise, score 98) at `web/src/server/services/billing.service.test.ts:140` - client_secret: "cs_123_secret",
+- secret-literal (precise, score 98) at `web/src/server/services/billing.service.test.ts:178` - client_secret: "cs_trial_secret",
+- secret-literal (precise, score 98) at `web/src/server/services/billing.service.test.ts:216` - client_secret: "cs_upgrade_secret",
 - dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/examples/atomic.ts:21` - db.raw.exec(
 - dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/src/index.ts:343` - this.raw.exec("BEGIN IMMEDIATE");
 - dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/src/index.ts:422` - raw.exec("PRAGMA busy_timeout = 5000;");
@@ -94,17 +96,35 @@ Generated by piolium at 2026-05-28T13:00:30.318Z
 - command-execution (precise, score 90) at `honker/packages/honker-go/watcher_backends_queue_test.go:194` - cmd := exec.Command(os.Args[0], "-test.run", "^TestWatcherBackendQueueHelper$")
 - command-execution (precise, score 90) at `honker/packages/honker-go/watcher_backends_queue_test.go:226` - cmd := exec.Command(os.Args[0], "-test.run", "^TestWatcherBackendQueueHelper$")
 - dynamic-code-execution (precise, score 90) at `honker/scripts/test_sqlite_versions.py:103` - assert rc == SQLITE_OK, f"exec({sql!r}) failed: {rc}"
+- dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:216` - model.eval()
+- dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:216` - model.eval()
+- dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:216` - model.eval()
+- dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:280` - model.eval()
+- dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:280` - model.eval()
+- dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:280` - model.eval()
+- secret-literal (precise, score 90) at `web/src/server/services/darkwatch/hibp.client.test.ts:65` - const apiKey = "test-api-key";
+- secret-literal (precise, score 90) at `web/src/server/services/darkwatch/shodan.client.test.ts:13` - const apiKey = "test-shodan-key";
+- secret-literal (precise, score 90) at `web/src/server/services/hometitle/attom.client.test.ts:170` - const apiKey = "test-attom-api-key";
+- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:101` - while ((tableMatch = tableRegex.exec(html)) !== null) {
+- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:127` - while ((rowMatch = rowRegex.exec(tableHtml)) !== null) {
+- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:153` - while ((match = cellRegex.exec(headerRowHtml)) !== null) {
+- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:160` - while ((match = tdRegex.exec(headerRowHtml)) !== null) {
+- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:199` - while ((match = cellRegex.exec(rowHtml)) !== null) {
+- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:294` - while ((match = labelSpanPattern.exec(html)) !== null) {
+- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:302` - while ((match = thTdPattern.exec(html)) !== null) {
+- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:310` - while ((match = divFieldPattern.exec(html)) !== null) {
+- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:318` - while ((match = plainLabelPattern.exec(html)) !== null) {
 - secret-literal (precise, score 90) at `web/src/server/services/notification.service.test.ts:220` - token: "existing-token",
 - secret-literal (precise, score 90) at `web/src/server/services/notification.service.test.ts:256` - token: "other-user-token",
 - raw-sql-query (normal, score 87) at `web/src/server/api/routers/admin.ts:40` - stats: adminProcedure.query(async ({ ctx }) => {
 - raw-sql-query (normal, score 87) at `web/src/server/api/routers/admin.ts:58` - blogList: adminProcedure.query(async ({ ctx }) => {
 - raw-sql-query (normal, score 87) at `web/src/server/api/routers/admin.ts:64` - .query(async ({ ctx, input }) => {
 - raw-sql-query (normal, score 87) at `web/src/server/api/routers/admin.ts:137` - userList: adminProcedure.query(async ({ ctx }) => {
- hidden-control-channel (normal, score 87) at `web/src/server/api/routers/billing.test.ts:73` - const isAuthed = t.middleware(({ ctx, next }) => {
- raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.test.ts:80` - .query(async () => {
- raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.test.ts:113` - .query(async ({ ctx, input }) => {
- raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.ts:33` - getSubscription: protectedProcedure.query(async ({ ctx }) => {
- raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.ts:155` - .query(async ({ ctx, input }) => {
+- hidden-control-channel (normal, score 87) at `web/src/server/api/routers/billing.test.ts:95` - const isAuthed = t.middleware(({ ctx, next }) => {
+- raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.test.ts:102` - .query(async () => {
+- raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.test.ts:168` - .query(async ({ ctx, input }) => {
+- raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.ts:43` - getSubscription: protectedProcedure.query(async ({ ctx }) => {
+- raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.ts:304` - .query(async ({ ctx, input }) => {
 - open-redirect (normal, score 81) at `web/src/routes/(admin)/blog/index.tsx:32` - if (redirect()) return <Navigate href="/admin/blog/new" />;
 - command-execution (precise, score 80) at `honker/bench/real_bench.py:180` - def spawn(script: str) -> subprocess.Popen:
 - command-execution (precise, score 80) at `honker/bench/real_bench.py:181` - return subprocess.Popen(
@@ -129,26 +149,6 @@ Generated by piolium at 2026-05-28T13:00:30.318Z
 - command-execution (precise, score 80) at `honker/packages/honker-node/index.js:56` - return require('child_process').execSync('ldd --version', { encoding: 'utf8' }).includes('musl')
 - command-execution (precise, score 80) at `honker/packages/honker-node/native.js:56` - return require('child_process').execSync('ldd --version', { encoding: 'utf8' }).includes('musl')
 - command-execution (precise, score 80) at `honker/packages/honker-node/test/cross_lang_shared.js:28` - return spawn(PYTHON, ['-c', script], { stdio });
- command-execution (precise, score 80) at `honker/packages/honker-node/test/watcher_backends_e2e.js:29` - return spawn(process.execPath, ['-e', script], {
- command-execution (precise, score 80) at `honker/packages/honker-node/test/watcher_backends_queue_e2e.js:38` - return spawn(process.execPath, ['-e', script], {
- command-execution (precise, score 80) at `honker/packages/honker-node/test/watcher_backends_queue_e2e.js:155` - const res = spawnSync(process.execPath, ['-e', script], {
- command-execution (precise, score 80) at `honker/packages/honker-ruby/ext/honker/extconf.rb:24` - cargo_found = system("cargo", "--version", out: File::NULL, err: File::NULL)
- command-execution (precise, score 80) at `honker/packages/honker-ruby/ext/honker/extconf.rb:48` - system(
- command-execution (precise, score 80) at `honker/packages/honker-ruby/spec/honker_spec.rb:176` - pid = Process.spawn(
- command-execution (precise, score 80) at `honker/packages/honker-ruby/spec/honker_spec.rb:191` - Process.spawn(
- command-execution (precise, score 80) at `honker/packages/honker-ruby/spec/railtie_spec.rb:36` - out = IO.popen([RbConfig.ruby, "-e", script], &:read)
- command-execution (precise, score 80) at `honker/scripts/test_sqlite_versions.py:44` - out = subprocess.check_output(["otool", "-L", mod_path], text=True)
- command-execution (precise, score 80) at `honker/scripts/test_sqlite_versions.py:103` - assert rc == SQLITE_OK, f"exec({sql!r}) failed: {rc}"
- command-execution (precise, score 80) at `honker/tests/test_crash_recovery.py:54` - return subprocess.Popen(
- command-execution (precise, score 80) at `honker/tests/test_cross_process_wake_latency.py:72` - proc = subprocess.Popen(
- command-execution (precise, score 80) at `honker/tests/test_fault_injection.py:112` - subprocess.run(
- command-execution (precise, score 80) at `honker/tests/test_fault_injection.py:143` - subprocess.run(["umount", str(mount_dir)], check=False)
- command-execution (precise, score 80) at `honker/tests/test_joblite.py:79` - return subprocess.Popen(
- command-execution (precise, score 80) at `honker/tests/test_multiprocess.py:63` - return subprocess.run(
- command-execution (precise, score 80) at `honker/tests/test_multiprocess.py:219` - return subprocess.run(
- command-execution (precise, score 80) at `honker/tests/test_multiprocess.py:277` - return subprocess.run(
- command-execution (precise, score 80) at `honker/tests/test_real_e2e_scenarios.py:270` - return subprocess.Popen(
- command-execution (precise, score 80) at `honker/tests/test_real_e2e_scenarios.py:279` - return subprocess.run(

 ## Custom Matchers

--- a/piolium/attack-surface/candidates.jsonl
+++ b/piolium/attack-surface/candidates.jsonl
@@ -1,10 +1,12 @@
-{"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/api/routers/billing.test.ts","line":164,"snippet":"clientSecret: \"cs_123_secret\",","matchedPattern":"secret assignment","score":122,"source":"builtin"}
+{"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/api/routers/billing.test.ts","line":220,"snippet":"clientSecret: \"cs_123_secret\",","matchedPattern":"secret assignment","score":122,"source":"builtin"}
 {"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/routes/(auth)/login.tsx","line":30,"snippet":"if (!password()) errs.password = \"Password is required\";","matchedPattern":"secret assignment","score":106,"source":"builtin"}
 {"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/routes/(auth)/reset-password.tsx","line":27,"snippet":"if (!password()) errs.password = \"Password is required\";","matchedPattern":"secret assignment","score":106,"source":"builtin"}
 {"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/routes/(auth)/reset-password.tsx","line":29,"snippet":"errs.password = \"Password must be at least 8 characters\";","matchedPattern":"secret assignment","score":106,"source":"builtin"}
 {"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/routes/(auth)/signup.tsx","line":66,"snippet":"if (!password()) errs.password = \"Password is required\";","matchedPattern":"secret assignment","score":106,"source":"builtin"}
 {"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/routes/(auth)/signup.tsx","line":68,"snippet":"errs.password = \"Password must be at least 8 characters\";","matchedPattern":"secret assignment","score":106,"source":"builtin"}
-{"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/services/billing.service.test.ts","line":116,"snippet":"client_secret: \"cs_123_secret\",","matchedPattern":"secret assignment","score":98,"source":"builtin"}
+{"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/services/billing.service.test.ts","line":140,"snippet":"client_secret: \"cs_123_secret\",","matchedPattern":"secret assignment","score":98,"source":"builtin"}
+{"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/services/billing.service.test.ts","line":178,"snippet":"client_secret: \"cs_trial_secret\",","matchedPattern":"secret assignment","score":98,"source":"builtin"}
+{"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/services/billing.service.test.ts","line":216,"snippet":"client_secret: \"cs_upgrade_secret\",","matchedPattern":"secret assignment","score":98,"source":"builtin"}
 {"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"honker/packages/honker-bun/examples/atomic.ts","line":21,"snippet":"db.raw.exec(","matchedPattern":"python eval","score":90,"source":"builtin"}
 {"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"honker/packages/honker-bun/src/index.ts","line":343,"snippet":"this.raw.exec(\"BEGIN IMMEDIATE\");","matchedPattern":"python eval","score":90,"source":"builtin"}
 {"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"honker/packages/honker-bun/src/index.ts","line":422,"snippet":"raw.exec(\"PRAGMA busy_timeout = 5000;\");","matchedPattern":"python eval","score":90,"source":"builtin"}
@@ -23,17 +25,35 @@
 {"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"honker/packages/honker-go/watcher_backends_queue_test.go","line":194,"snippet":"cmd := exec.Command(os.Args[0], \"-test.run\", \"^TestWatcherBackendQueueHelper$\")","matchedPattern":"go command","score":90,"source":"builtin"}
 {"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"honker/packages/honker-go/watcher_backends_queue_test.go","line":226,"snippet":"cmd := exec.Command(os.Args[0], \"-test.run\", \"^TestWatcherBackendQueueHelper$\")","matchedPattern":"go command","score":90,"source":"builtin"}
 {"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"honker/scripts/test_sqlite_versions.py","line":103,"snippet":"assert rc == SQLITE_OK, f\"exec({sql!r}) failed: {rc}\"","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"ml/spam-classifier/train.py","line":216,"snippet":"model.eval()","matchedPattern":"eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"ml/spam-classifier/train.py","line":216,"snippet":"model.eval()","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"ml/spam-classifier/train.py","line":216,"snippet":"model.eval()","matchedPattern":"ruby eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"ml/spam-classifier/train.py","line":280,"snippet":"model.eval()","matchedPattern":"eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"ml/spam-classifier/train.py","line":280,"snippet":"model.eval()","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"ml/spam-classifier/train.py","line":280,"snippet":"model.eval()","matchedPattern":"ruby eval","score":90,"source":"builtin"}
+{"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/services/darkwatch/hibp.client.test.ts","line":65,"snippet":"const apiKey = \"test-api-key\";","matchedPattern":"secret assignment","score":90,"source":"builtin"}
+{"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":13,"snippet":"const apiKey = \"test-shodan-key\";","matchedPattern":"secret assignment","score":90,"source":"builtin"}
+{"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/services/hometitle/attom.client.test.ts","line":170,"snippet":"const apiKey = \"test-attom-api-key\";","matchedPattern":"secret assignment","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":101,"snippet":"while ((tableMatch = tableRegex.exec(html)) !== null) {","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":127,"snippet":"while ((rowMatch = rowRegex.exec(tableHtml)) !== null) {","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":153,"snippet":"while ((match = cellRegex.exec(headerRowHtml)) !== null) {","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":160,"snippet":"while ((match = tdRegex.exec(headerRowHtml)) !== null) {","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":199,"snippet":"while ((match = cellRegex.exec(rowHtml)) !== null) {","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":294,"snippet":"while ((match = labelSpanPattern.exec(html)) !== null) {","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":302,"snippet":"while ((match = thTdPattern.exec(html)) !== null) {","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":310,"snippet":"while ((match = divFieldPattern.exec(html)) !== null) {","matchedPattern":"python eval","score":90,"source":"builtin"}
+{"slug":"dynamic-code-execution","description":"Dynamic code execution, expression evaluation, or runtime compilation.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":318,"snippet":"while ((match = plainLabelPattern.exec(html)) !== null) {","matchedPattern":"python eval","score":90,"source":"builtin"}
 {"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/services/notification.service.test.ts","line":220,"snippet":"token: \"existing-token\",","matchedPattern":"secret assignment","score":90,"source":"builtin"}
 {"slug":"secret-literal","description":"Hardcoded secret-like literal.","noise":"precise","filePath":"web/src/server/services/notification.service.test.ts","line":256,"snippet":"token: \"other-user-token\",","matchedPattern":"secret assignment","score":90,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/admin.ts","line":40,"snippet":"stats: adminProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":87,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/admin.ts","line":58,"snippet":"blogList: adminProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":87,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/admin.ts","line":64,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":87,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/admin.ts","line":137,"snippet":"userList: adminProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":87,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/billing.test.ts","line":73,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":87,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/billing.test.ts","line":80,"snippet":".query(async () => {","matchedPattern":"query call","score":87,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/billing.test.ts","line":113,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":87,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/billing.ts","line":33,"snippet":"getSubscription: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":87,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/billing.ts","line":155,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":87,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/billing.test.ts","line":95,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":87,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/billing.test.ts","line":102,"snippet":".query(async () => {","matchedPattern":"query call","score":87,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/billing.test.ts","line":168,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":87,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/billing.ts","line":43,"snippet":"getSubscription: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":87,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/billing.ts","line":304,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":87,"source":"builtin"}
 {"slug":"open-redirect","description":"Redirect sink that may accept user-controlled URLs.","noise":"normal","filePath":"web/src/routes/(admin)/blog/index.tsx","line":32,"snippet":"if (redirect()) return <Navigate href=\"/admin/blog/new\" />;","matchedPattern":"redirect call","score":81,"source":"builtin"}
 {"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"honker/bench/real_bench.py","line":180,"snippet":"def spawn(script: str) -> subprocess.Popen:","matchedPattern":"node child_process","score":80,"source":"builtin"}
 {"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"honker/bench/real_bench.py","line":181,"snippet":"return subprocess.Popen(","matchedPattern":"python process","score":80,"source":"builtin"}
@@ -84,28 +104,72 @@
 {"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"honker/tests/test_watcher_backends_e2e.py","line":98,"snippet":"proc = subprocess.Popen(","matchedPattern":"python process","score":80,"source":"builtin"}
 {"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"honker/tests/test_watcher_backends_queue_e2e.py","line":116,"snippet":"proc = subprocess.Popen(","matchedPattern":"python process","score":80,"source":"builtin"}
 {"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"honker/tests/test_watcher_backends_queue_e2e.py","line":181,"snippet":"res = subprocess.run(","matchedPattern":"python process","score":80,"source":"builtin"}
-{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":2,"snippet":"import { stripe } from \"~/server/stripe\";","matchedPattern":"webhook route","score":79,"source":"builtin"}
-{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":2,"snippet":"import { stripe } from \"~/server/stripe\";","matchedPattern":"webhook route","score":79,"source":"builtin"}
-{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":7,"snippet":"const signature = event.request.headers.get(\"stripe-signature\");","matchedPattern":"webhook route","score":79,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":7,"snippet":"const signature = event.request.headers.get(\"stripe-signature\");","matchedPattern":"request header read","score":79,"source":"builtin"}
-{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":10,"snippet":"return new Response(\"Missing stripe-signature header\", { status: 400 });","matchedPattern":"webhook route","score":79,"source":"builtin"}
-{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":14,"snippet":"const webhookEvent = stripe.webhooks.constructEvent(","matchedPattern":"webhook route","score":79,"source":"builtin"}
-{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":24,"snippet":"const message = err instanceof Error ? err.message : \"Webhook error\";","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/scrapers/county-data.ts","line":536,"snippet":"notes: \"Massachusetts Land Records system (Middlesex County).\",","matchedPattern":"php process","score":80,"source":"builtin"}
+{"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":101,"snippet":"while ((tableMatch = tableRegex.exec(html)) !== null) {","matchedPattern":"node child_process","score":80,"source":"builtin"}
+{"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":127,"snippet":"while ((rowMatch = rowRegex.exec(tableHtml)) !== null) {","matchedPattern":"node child_process","score":80,"source":"builtin"}
+{"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":153,"snippet":"while ((match = cellRegex.exec(headerRowHtml)) !== null) {","matchedPattern":"node child_process","score":80,"source":"builtin"}
+{"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":160,"snippet":"while ((match = tdRegex.exec(headerRowHtml)) !== null) {","matchedPattern":"node child_process","score":80,"source":"builtin"}
+{"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":199,"snippet":"while ((match = cellRegex.exec(rowHtml)) !== null) {","matchedPattern":"node child_process","score":80,"source":"builtin"}
+{"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":294,"snippet":"while ((match = labelSpanPattern.exec(html)) !== null) {","matchedPattern":"node child_process","score":80,"source":"builtin"}
+{"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":302,"snippet":"while ((match = thTdPattern.exec(html)) !== null) {","matchedPattern":"node child_process","score":80,"source":"builtin"}
+{"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":310,"snippet":"while ((match = divFieldPattern.exec(html)) !== null) {","matchedPattern":"node child_process","score":80,"source":"builtin"}
+{"slug":"command-execution","description":"Potential command execution or shell invocation with variable input.","noise":"precise","filePath":"web/src/server/services/hometitle/county-scrapers/unified-parser.ts","line":318,"snippet":"while ((match = plainLabelPattern.exec(html)) !== null) {","matchedPattern":"node child_process","score":80,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":4,"snippet":"vi.mock(\"~/server/stripe\", () => ({","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":5,"snippet":"stripe: {","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":44,"snippet":"describe(\"Webhook handler\", () => {","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":50,"snippet":"const { POST } = await import(\"./webhook\");","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":56,"snippet":"const { POST } = await import(\"./webhook\");","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":67,"snippet":"url: \"http://localhost/api/stripe/webhook\",","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":67,"snippet":"url: \"http://localhost/api/stripe/webhook\",","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":75,"snippet":"const { stripe } = await import(\"~/server/stripe\");","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":75,"snippet":"const { stripe } = await import(\"~/server/stripe\");","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":81,"snippet":"vi.mocked(stripe.webhooks.constructEvent).mockReturnValue(mockEvent as any);","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":83,"snippet":"expect(stripe.webhooks.constructEvent).toBeDefined();","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":89,"snippet":"\"~/server/db/schema/webhook-events\"","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":99,"snippet":"it(\"should clean up old webhook events\", async () => {","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":102,"snippet":"\"~/server/db/schema/webhook-events\"","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":113,"snippet":"const { cleanupWebhookEvents } = await import(\"./webhook\");","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":119,"snippet":"describe(\"Webhook deduplication\", () => {","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":142,"snippet":"describe(\"Webhook idempotency\", () => {","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.test.ts","line":154,"snippet":"it(\"should handle all critical Stripe event types\", async () => {","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":4,"snippet":"import { stripe } from \"~/server/stripe\";","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":4,"snippet":"import { stripe } from \"~/server/stripe\";","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":6,"snippet":"import { stripeWebhookEvents } from \"~/server/db/schema/webhook-events\";","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":9,"snippet":"* Cleans up webhook event records older than 30 days to prevent unbounded table growth.","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":17,"snippet":"console.log(\"[webhook] Cleaned up old webhook event records (30+ days)\");","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":17,"snippet":"console.log(\"[webhook] Cleaned up old webhook event records (30+ days)\");","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":19,"snippet":"console.error(\"[webhook] Failed to clean up old webhook events:\", err);","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":19,"snippet":"console.error(\"[webhook] Failed to clean up old webhook events:\", err);","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":25,"snippet":"const signature = event.request.headers.get(\"stripe-signature\");","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":25,"snippet":"const signature = event.request.headers.get(\"stripe-signature\");","matchedPattern":"request header read","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":28,"snippet":"return new Response(\"Missing stripe-signature header\", { status: 400 });","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":32,"snippet":"const webhookEvent = stripe.webhooks.constructEvent(","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":38,"snippet":"// Check for duplicate event ID (webhook replay protection)","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":47,"snippet":"`[webhook] Duplicate event ${webhookEvent.id} (${webhookEvent.type}) — skipping`,","matchedPattern":"webhook route","score":79,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/routes/api/stripe/webhook.ts","line":65,"snippet":"const message = err instanceof Error ? err.message : \"Webhook error\";","matchedPattern":"webhook route","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/api.ts","line":7,"snippet":"hello: publicProcedure.query(() => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/blog.ts","line":18,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/blog.ts","line":46,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/blog.ts","line":77,"snippet":"tags: publicProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":40,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":48,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":53,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":58,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":63,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":71,"snippet":"getStats: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":15,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":21,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":27,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":33,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":43,"snippet":"getStats: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":51,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":59,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":64,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":69,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":74,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":82,"snippet":"getStats: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":85,"snippet":"getThreatScore: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":88,"snippet":"getThreatScoreTrend: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":91,"snippet":"getRecommendations: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.test.ts","line":96,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":17,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":24,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":31,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":38,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":50,"snippet":"getStats: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":55,"snippet":"getThreatScore: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":60,"snippet":"getThreatScoreTrend: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":65,"snippet":"getRecommendations: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/correlation.ts","line":72,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/darkwatch.test.ts","line":45,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/darkwatch.test.ts","line":51,"snippet":"getWatchlist: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/darkwatch.test.ts","line":66,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
@@ -119,6 +183,12 @@
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/darkwatch.ts","line":54,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/example.ts","line":8,"snippet":".query(({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/extension.ts","line":10,"snippet":"getAuthStatus: publicProcedure.input(wrap(GetAuthStatusSchema)).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/family.ts","line":48,"snippet":"getGroup: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/family.ts","line":90,"snippet":"getDashboard: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/family.ts","line":100,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/family.ts","line":165,"snippet":"listInvitations: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/family.ts","line":241,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/family.ts","line":263,"snippet":"getAlertRouting: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/hometitle.test.ts","line":42,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/hometitle.test.ts","line":48,"snippet":"getProperties: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/hometitle.test.ts","line":63,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
@@ -136,11 +206,20 @@
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.test.ts","line":63,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.test.ts","line":68,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.test.ts","line":76,"snippet":"getStats: t.procedure.use(isAuthed).query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":13,"snippet":"getBrokerRegistry: protectedProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":19,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":31,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":37,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":47,"snippet":"getStats: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":15,"snippet":"getBrokerRegistry: protectedProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":21,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":33,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":39,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":49,"snippet":"getStats: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":54,"snippet":"getEnhancedStats: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":59,"snippet":"getCaptchaSolverStatus: protectedProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":73,"snippet":"getReListingStats: protectedProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":78,"snippet":"getAdapterSystemHealth: protectedProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":82,"snippet":"getBrokenAdapters: protectedProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":92,"snippet":"getAllAdapterHealth: protectedProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":97,"snippet":"getMonthlyCosts: protectedProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":101,"snippet":"getCostPerUser: protectedProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/removebrokers.ts","line":105,"snippet":"getCostHistory: protectedProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/reports.test.ts","line":40,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/reports.test.ts","line":48,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/reports.test.ts","line":58,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
@@ -152,31 +231,37 @@
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/api/routers/scheduler.ts","line":20,"snippet":"throw new Error(`Invalid job type: ${type}. Must be one of: ${JOB_TYPES.join(\", \")}`);","matchedPattern":"path join","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/scheduler.ts","line":30,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/scheduler.ts","line":49,"snippet":".query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":46,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":54,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":59,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":64,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":67,"snippet":"getRules: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":87,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":17,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":23,"snippet":".query(async ({ input, ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":29,"snippet":".query(async ({ input, ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":38,"snippet":"getRules: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":73,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":53,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":61,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":66,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":71,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":74,"snippet":"getRules: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.test.ts","line":94,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":18,"snippet":".query(async ({ input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":24,"snippet":".query(async ({ input, ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":30,"snippet":".query(async ({ input, ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":39,"snippet":"getRules: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":74,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/spamshield.ts","line":78,"snippet":"modelInfo: publicProcedure.query(async () => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/user.test.ts","line":40,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/user.test.ts","line":46,"snippet":"me: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/user.test.ts","line":60,"snippet":".query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/user.ts","line":46,"snippet":"me: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/user.ts","line":63,"snippet":"listFamilyMembers: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":43,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":49,"snippet":"getEnrollments: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":69,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":74,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":79,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":14,"snippet":"getEnrollments: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":38,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":44,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":50,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":51,"snippet":"const isAuthed = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":57,"snippet":"getEnrollments: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":90,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":95,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":100,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.test.ts","line":103,"snippet":"getUsageStats: t.procedure.use(isAuthed).query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":22,"snippet":"getEnrollments: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":65,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":71,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":77,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":81,"snippet":"getUsageStats: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":109,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":122,"snippet":".query(async ({ ctx, input }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/api/routers/voiceprint.ts","line":129,"snippet":"getCallAnalysisSettings: protectedProcedure.query(async ({ ctx }) => {","matchedPattern":"query call","score":79,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(admin)/blog/[slug].tsx","line":25,"snippet":"api.admin.blogGet.query({ id: params.slug }).then(data => {","matchedPattern":"query call","score":71,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/(admin)/blog/[slug].tsx","line":55,"snippet":"tags: tags().join(\",\"),","matchedPattern":"path join","score":71,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/(admin)/blog/[slug].tsx","line":122,"snippet":"].join(\" \")}","matchedPattern":"path join","score":71,"source":"builtin"}
@@ -197,6 +282,15 @@
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/routes/(auth)/signup.tsx","line":113,"snippet":"redirectUrlComplete: window.location.origin + \"/onboarding\",","matchedPattern":"proxy or original request header","score":71,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/routes/billing/checkout.tsx","line":33,"snippet":"const returnUrl = `${window.location.origin}/billing/return`;","matchedPattern":"proxy or original request header","score":71,"source":"builtin"}
 {"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/routes/billing/return.tsx","line":23,"snippet":"const response = await fetch(`/api/stripe/session-status?session_id=${sessionId}`);","matchedPattern":"fetch/http client","score":71,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/server/api/schemas/webhook.test.ts","line":7,"snippet":"} from \"./webhook\";","matchedPattern":"webhook route","score":71,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/server/api/schemas/webhook.test.ts","line":168,"snippet":"describe(\"Webhook data validation - malformed payloads\", () => {","matchedPattern":"webhook route","score":71,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/server/api/schemas/webhook.ts","line":4,"snippet":"* Validates a Stripe Checkout Session object from webhook data.","matchedPattern":"webhook route","score":71,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/server/api/schemas/webhook.ts","line":4,"snippet":"* Validates a Stripe Checkout Session object from webhook data.","matchedPattern":"webhook route","score":71,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/server/api/schemas/webhook.ts","line":17,"snippet":"* Price item inside a Stripe Subscription.","matchedPattern":"webhook route","score":71,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/server/api/schemas/webhook.ts","line":28,"snippet":"* Validates a Stripe Subscription object from webhook data.","matchedPattern":"webhook route","score":71,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/server/api/schemas/webhook.ts","line":28,"snippet":"* Validates a Stripe Subscription object from webhook data.","matchedPattern":"webhook route","score":71,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/server/api/schemas/webhook.ts","line":50,"snippet":"* Validates a Stripe Invoice object from webhook data.","matchedPattern":"webhook route","score":71,"source":"builtin"}
+{"slug":"webhook-without-obvious-signature","description":"Webhook handler path that should be checked for signature verification.","noise":"normal","filePath":"web/src/server/api/schemas/webhook.ts","line":50,"snippet":"* Validates a Stripe Invoice object from webhook data.","matchedPattern":"webhook route","score":71,"source":"builtin"}
 {"slug":"open-redirect","description":"Redirect sink that may accept user-controlled URLs.","noise":"normal","filePath":"web/src/app.tsx","line":40,"snippet":"<Show when={redirect()} keyed>","matchedPattern":"redirect call","score":65,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"browser-ext/tests/api-client.test.ts","line":55,"snippet":"const result = await client.spamshield.checkNumber.query({","matchedPattern":"query call","score":63,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"browser-ext/tests/api-client.test.ts","line":64,"snippet":"const result = await client.spamshield.classifySMS.query({","matchedPattern":"query call","score":63,"source":"builtin"}
@@ -232,33 +326,49 @@
 {"slug":"unsafe-html-or-template","description":"HTML injection sink or template escape bypass.","noise":"normal","filePath":"web/src/components/auth/auth.test.tsx","line":28,"snippet":"document.body.innerHTML = \"\";","matchedPattern":"dangerous html","score":63,"source":"builtin"}
 {"slug":"weak-token-or-crypto","description":"Token, JWT, randomness, or crypto usage that deserves review.","noise":"normal","filePath":"web/src/components/auth/PasswordInput.tsx","line":25,"snippet":"Math.random().toString(36).slice(2, 10);","matchedPattern":"weak random","score":63,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/hooks/useAuth.ts","line":7,"snippet":"return await api.user.me.query();","matchedPattern":"query call","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.test.ts","line":4,"snippet":"* Mirrors the isValidCorsOrigin function from middleware.ts","matchedPattern":"identity or internal control header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.test.ts","line":6,"snippet":"function isValidCorsOrigin(origin: string): boolean {","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.test.ts","line":7,"snippet":"if (!origin || !origin.trim()) return false;","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.test.ts","line":7,"snippet":"if (!origin || !origin.trim()) return false;","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.test.ts","line":8,"snippet":"if (origin === \"*\") return false;","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.test.ts","line":11,"snippet":"const parsed = new URL(origin);","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":1,"snippet":"import { createMiddleware, type RequestMiddleware } from \"@solidjs/start/middleware\";","matchedPattern":"identity or internal control header","score":63,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":12,"snippet":"h.set(\"Referrer-Policy\", \"strict-origin-when-cross-origin\");","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":12,"snippet":"h.set(\"Referrer-Policy\", \"strict-origin-when-cross-origin\");","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":22,"snippet":"const origin = event.request.headers.get(\"origin\");","matchedPattern":"request header read","score":63,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":22,"snippet":"const origin = event.request.headers.get(\"origin\");","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":22,"snippet":"const origin = event.request.headers.get(\"origin\");","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":29,"snippet":"if (origin && allowedOrigins.includes(origin)) {","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":29,"snippet":"if (origin && allowedOrigins.includes(origin)) {","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":30,"snippet":"event.response.headers.set(\"Access-Control-Allow-Origin\", origin);","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":30,"snippet":"event.response.headers.set(\"Access-Control-Allow-Origin\", origin);","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":22,"snippet":"* Validates that an origin string is a well-formed HTTP(S) origin.","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":22,"snippet":"* Validates that an origin string is a well-formed HTTP(S) origin.","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":25,"snippet":"function isValidCorsOrigin(origin: string): boolean {","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":26,"snippet":"if (!origin || !origin.trim()) return false;","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":26,"snippet":"if (!origin || !origin.trim()) return false;","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":27,"snippet":"if (origin === \"*\") return false;","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":30,"snippet":"const parsed = new URL(origin);","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":42,"snippet":"const origin = event.request.headers.get(\"origin\");","matchedPattern":"request header read","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":42,"snippet":"const origin = event.request.headers.get(\"origin\");","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":42,"snippet":"const origin = event.request.headers.get(\"origin\");","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":48,"snippet":"// Validate APP_URL before trusting it as a CORS origin","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":54,"snippet":"console.warn(`[cors] APP_URL \"${appUrl}\" is not a valid HTTP(S) origin and will be excluded from CORS allowlist`);","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":58,"snippet":"if (origin && allowedOrigins.includes(origin)) {","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":58,"snippet":"if (origin && allowedOrigins.includes(origin)) {","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":59,"snippet":"event.response.headers.set(\"Access-Control-Allow-Origin\", origin);","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/middleware.ts","line":59,"snippet":"event.response.headers.set(\"Access-Control-Allow-Origin\", origin);","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/darkwatch.tsx","line":21,"snippet":"() => api.darkwatch.getWatchlist.query(),","matchedPattern":"query call","score":63,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/darkwatch.tsx","line":25,"snippet":"() => api.darkwatch.getExposures.query({ page: 1, limit: 20 }),","matchedPattern":"query call","score":63,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/hometitle.tsx","line":21,"snippet":"() => api.hometitle.getProperties.query(),","matchedPattern":"query call","score":63,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/removebrokers.tsx","line":20,"snippet":"() => api.removebrokers.getBrokerRegistry.query(),","matchedPattern":"query call","score":63,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/removebrokers.tsx","line":24,"snippet":"() => api.removebrokers.getRemovalRequests.query({ page: 1, limit: 20 }),","matchedPattern":"query call","score":63,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/removebrokers.tsx","line":27,"snippet":"() => api.removebrokers.getStats.query(),","matchedPattern":"query call","score":63,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/removebrokers.tsx","line":51,"snippet":"() => api.removebrokers.getBrokerRegistry.query(),","matchedPattern":"query call","score":63,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/removebrokers.tsx","line":55,"snippet":"() => api.removebrokers.getRemovalRequests.query({ page: 1, limit: 20 }),","matchedPattern":"query call","score":63,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/removebrokers.tsx","line":58,"snippet":"() => api.removebrokers.getEnhancedStats.query(),","matchedPattern":"query call","score":63,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/routes/(webapp)/settings.tsx","line":31,"snippet":"returnUrl: `${window.location.origin}/settings`,","matchedPattern":"proxy or original request header","score":63,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/spamshield.tsx","line":21,"snippet":"() => api.spamshield.getRules.query(),","matchedPattern":"query call","score":63,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/spamshield.tsx","line":33,"snippet":"const result = await api.spamshield.checkNumber.query({ phoneNumber: phoneNumber() });","matchedPattern":"query call","score":63,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/(webapp)/voiceprint.tsx","line":21,"snippet":"() => api.voiceprint.getEnrollments.query(),","matchedPattern":"query call","score":63,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/blog.tsx","line":22,"snippet":"const [allPostsResult] = createResource(() => api.blog.list.query({ limit: \"100\" }));","matchedPattern":"query call","score":63,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/blog.tsx","line":26,"snippet":"const [tagListResult] = createResource(() => api.blog.tags.query());","matchedPattern":"query call","score":63,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":50,"snippet":"const [dataResult] = createResource(() => api.blog.bySlug.query({ slug: params.slug }));","matchedPattern":"query call","score":63,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":103,"snippet":"{(p().authorName || \"K\").split(\" \").map((n: string) => n[0]).join(\"\")}","matchedPattern":"path join","score":63,"source":"builtin"}
-{"slug":"unsafe-html-or-template","description":"HTML injection sink or template escape bypass.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":121,"snippet":"<div class=\"prose-custom\" innerHTML={contentHtml()} />","matchedPattern":"dangerous html","score":63,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":127,"snippet":"{(p().authorName || \"K\").split(\" \").map((n: string) => n[0]).join(\"\")}","matchedPattern":"path join","score":63,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":142,"snippet":"onClick={() => window.open(`https://twitter.com/intent/tweet?text=${encodeURIComponent(p().title)}&url=${encodeURIComponent(window.location.href)}`, \"_blank\")}","matchedPattern":"python file open","score":63,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":150,"snippet":"onClick={() => window.open(`https://linkedin.com/sharing/share-offsite/?url=${encodeURIComponent(window.location.href)}`, \"_blank\")}","matchedPattern":"python file open","score":63,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":51,"snippet":"const [dataResult] = createResource(() => api.blog.bySlug.query({ slug: params.slug }));","matchedPattern":"query call","score":63,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":104,"snippet":"{(p().authorName || \"K\").split(\" \").map((n: string) => n[0]).join(\"\")}","matchedPattern":"path join","score":63,"source":"builtin"}
+{"slug":"unsafe-html-or-template","description":"HTML injection sink or template escape bypass.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":122,"snippet":"<div class=\"prose-custom\" innerHTML={sanitizeHtml(contentHtml())} />","matchedPattern":"dangerous html","score":63,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":128,"snippet":"{(p().authorName || \"K\").split(\" \").map((n: string) => n[0]).join(\"\")}","matchedPattern":"path join","score":63,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":143,"snippet":"onClick={() => window.open(`https://twitter.com/intent/tweet?text=${encodeURIComponent(p().title)}&url=${encodeURIComponent(window.location.href)}`, \"_blank\")}","matchedPattern":"python file open","score":63,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/blog/[slug].tsx","line":151,"snippet":"onClick={() => window.open(`https://linkedin.com/sharing/share-offsite/?url=${encodeURIComponent(window.location.href)}`, \"_blank\")}","matchedPattern":"python file open","score":63,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/routes/migrated-pages.test.tsx","line":96,"snippet":"Promise.resolve({","matchedPattern":"path join","score":63,"source":"builtin"}
 {"slug":"unsafe-html-or-template","description":"HTML injection sink or template escape bypass.","noise":"normal","filePath":"web/src/routes/migrated-pages.test.tsx","line":329,"snippet":"document.body.innerHTML = \"\";","matchedPattern":"dangerous html","score":63,"source":"builtin"}
 {"slug":"unsafe-html-or-template","description":"HTML injection sink or template escape bypass.","noise":"normal","filePath":"web/src/routes/migrated-pages.test.tsx","line":333,"snippet":"document.body.innerHTML = \"\";","matchedPattern":"dangerous html","score":63,"source":"builtin"}
@@ -276,6 +386,11 @@
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/utils.ts","line":21,"snippet":"const isAdmin = t.middleware(({ ctx, next }) => {","matchedPattern":"identity or internal control header","score":63,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/api/utils.ts","line":35,"snippet":"const isRateLimited = t.middleware(async ({ ctx, next, path }) => {","matchedPattern":"identity or internal control header","score":63,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/jobs/handlers/darkwatch.scan.test.ts","line":8,"snippet":"then: vi.fn().mockImplementation((fn: Function) => Promise.resolve(fn(result))),","matchedPattern":"path join","score":63,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/jobs/handlers/removebrokers.process.ts","line":167,"snippet":".join(\", \");","matchedPattern":"path join","score":63,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/billing.service.ts","line":304,"snippet":"`[billing:webhook] Failed to parse subscription data: ${result.issues?.map((i) => i.message).join(\", \")}`,","matchedPattern":"path join","score":63,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/billing.service.ts","line":315,"snippet":"`[billing:webhook] Failed to parse checkout session data: ${result.issues?.map((i) => i.message).join(\", \")}`,","matchedPattern":"path join","score":63,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/billing.service.ts","line":326,"snippet":"`[billing:webhook] Failed to parse invoice data: ${result.issues?.map((i) => i.message).join(\", \")}`,","matchedPattern":"path join","score":63,"source":"builtin"}
+{"slug":"weak-token-or-crypto","description":"Token, JWT, randomness, or crypto usage that deserves review.","noise":"normal","filePath":"web/src/server/services/removebrokers/proxy.ts","line":131,"snippet":"return Math.random().toString(36).substring(2, 15);","matchedPattern":"weak random","score":63,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"android/app/src/main/java/com/kordant/android/ui/components/ShieldCard.kt","line":50,"snippet":"header()","matchedPattern":"request header read","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"browser-ext/src/background/index.ts","line":51,"snippet":"const result = await client.spamshield.checkNumber.query({ phoneNumber });","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"browser-ext/src/background/index.ts","line":68,"snippet":"const result = await client.spamshield.classifySMS.query({ text });","matchedPattern":"query call","score":55,"source":"builtin"}
@@ -1332,17 +1447,23 @@
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"honker/tests/test_worker_task_options.py","line":125,"snippet":"rows = db.query(","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"honker/tests/test_worker_task_options.py","line":139,"snippet":"db = honker.open(db_path)","matchedPattern":"python file open","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"honker/tests/test_worker_task_options.py","line":144,"snippet":"row = db.query(\"SELECT run_at FROM _honker_live\")[0]","matchedPattern":"query call","score":55,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/AlertFeedWidget.tsx","line":67,"snippet":"api.correlation.getAlerts.query({ limit: 10 }),","matchedPattern":"query call","score":55,"source":"builtin"}
+{"slug":"weak-token-or-crypto","description":"Token, JWT, randomness, or crypto usage that deserves review.","noise":"normal","filePath":"ml/spam-classifier/train.py","line":118,"snippet":"if random.random() < 0.5:","matchedPattern":"weak random","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"ml/spam-classifier/train.py","line":352,"snippet":"with open(metadata_path, \"w\") as f:","matchedPattern":"python file open","score":55,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/AlertFeedWidget.tsx","line":95,"snippet":"api.correlation.getAlerts.query({ limit: 10 }),","matchedPattern":"query call","score":55,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/AlertFeedWidget.tsx","line":100,"snippet":"api.correlation.getGroups.query({ status: \"ACTIVE\", limit: 5 }),","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"unsafe-html-or-template","description":"HTML injection sink or template escape bypass.","noise":"normal","filePath":"web/src/components/dashboard/dashboard.test.tsx","line":81,"snippet":"document.body.innerHTML = \"\";","matchedPattern":"dangerous html","score":55,"source":"builtin"}
 {"slug":"unsafe-html-or-template","description":"HTML injection sink or template escape bypass.","noise":"normal","filePath":"web/src/components/dashboard/dashboard.test.tsx","line":86,"snippet":"document.body.innerHTML = \"\";","matchedPattern":"dangerous html","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/ExposureWidget.tsx","line":47,"snippet":"api.darkwatch.getExposures.query({ limit: 1 }),","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/HomeTitleWidget.tsx","line":37,"snippet":"api.hometitle.getProperties.query(),","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/HomeTitleWidget.tsx","line":41,"snippet":"api.hometitle.getAlerts.query(),","matchedPattern":"query call","score":55,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/RemoveBrokersWidget.tsx","line":20,"snippet":"api.removebrokers.getStats.query(),","matchedPattern":"query call","score":55,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/RemoveBrokersWidget.tsx","line":20,"snippet":"api.removebrokers.getEnhancedStats.query(),","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/RemoveBrokersWidget.tsx","line":24,"snippet":"api.removebrokers.getBrokerRegistry.query(),","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/SpamShieldWidget.tsx","line":21,"snippet":"api.spamshield.getStats.query({ period: \"week\" }),","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/SpamShieldWidget.tsx","line":25,"snippet":"api.spamshield.getRules.query(),","matchedPattern":"query call","score":55,"source":"builtin"}
-{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/ThreatScoreWidget.tsx","line":33,"snippet":"const [stats] = createResource(tick, () => api.correlation.getStats.query());","matchedPattern":"query call","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/components/dashboard/ThreatScoreWidget.tsx","line":47,"snippet":".join(\" \");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/ThreatScoreWidget.tsx","line":80,"snippet":"const [stats] = createResource(tick, () => api.correlation.getStats.query());","matchedPattern":"query call","score":55,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/ThreatScoreWidget.tsx","line":83,"snippet":"const [trendData] = createResource(() => api.correlation.getThreatScoreTrend.query());","matchedPattern":"query call","score":55,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/ThreatScoreWidget.tsx","line":86,"snippet":"const [recommendations] = createResource(() => api.correlation.getRecommendations.query());","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/components/dashboard/TopBar.tsx","line":20,"snippet":".join(\"\")","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/VoicePrintWidget.tsx","line":21,"snippet":"api.voiceprint.getEnrollments.query(),","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/components/dashboard/VoicePrintWidget.tsx","line":25,"snippet":"api.voiceprint.getAnalyses.query({ limit: 10 }),","matchedPattern":"query call","score":55,"source":"builtin"}
@@ -1360,24 +1481,160 @@
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/hooks/useSubscription.ts","line":16,"snippet":"api.billing.getSubscription.query(),","matchedPattern":"query call","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/lib/utils.ts","line":2,"snippet":"return classes.filter(Boolean).join(\" \");","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/health.ts","line":17,"snippet":"await client.execute({ sql: \"SELECT 1\" });","matchedPattern":"query call","score":55,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/jobs/scheduler.ts","line":43,"snippet":"return Object.values(CRON_OVERVIEW).join(\"\\n\");","matchedPattern":"path join","score":55,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/lib/env.ts","line":67,"snippet":"console.error(\"Missing required variables:\", missingKeys.join(\", \"));","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/jobs/scheduler.test.ts","line":15,"snippet":"then: vi.fn().mockImplementation((fn: Function) => Promise.resolve(fn(result))),","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/jobs/scheduler.ts","line":50,"snippet":"return Object.values(CRON_OVERVIEW).join(\"\\n\");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/lib/env.ts","line":69,"snippet":"console.error(\"Missing required variables:\", missingKeys.join(\", \"));","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/lib/logger.ts","line":22,"snippet":"\"req.headers.authorization\",","matchedPattern":"request header read","score":55,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/lib/logger.ts","line":23,"snippet":"\"req.headers.cookie\",","matchedPattern":"request header read","score":55,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/lib/logger.ts","line":24,"snippet":"\"req.headers.x-api-key\",","matchedPattern":"request header read","score":55,"source":"builtin"}
 {"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/lib/request-logger.ts","line":1,"snippet":"import { type RequestMiddleware } from \"@solidjs/start/middleware\";","matchedPattern":"identity or internal control header","score":55,"source":"builtin"}
-{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":54,"snippet":"const res = await fetch(url, { headers, signal: AbortSignal.timeout(10_000) });","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
-{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":155,"snippet":"`https://api.shodan.io/shodan/host/search?key=${apiKey}&query=${encodeURIComponent(query)}&limit=10`,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
-{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/hometitle/scanner.ts","line":49,"snippet":"const res = await fetch(url);","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/correlation.service.ts","line":190,"snippet":"? (existingNarrative ? existingNarrative + \" \" : \"\") + scoreResult.narratives.join(\" \")","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/correlation/engine.ts","line":83,"snippet":"narrative = result.narratives.join(\" \");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/darkwatch/alert.cooldown.test.ts","line":8,"snippet":"then: vi.fn().mockImplementation((fn: Function) => Promise.resolve(fn(result))),","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":71,"snippet":"it(\"returns parsed host search results\", async () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":133,"snippet":"it(\"returns detailed host info\", async () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":233,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":238,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":246,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":251,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":258,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":263,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":270,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":275,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":280,"snippet":"it(\"returns no exposures for clean host\", () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":281,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.test.ts","line":286,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.ts","line":250,"snippet":"const res = await fetch(url, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.ts","line":309,"snippet":"// viewHost — detailed host fingerprinting by IP","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.ts","line":313,"snippet":"const cacheKey = `host:${createHash(\"sha256\").update(ip.toLowerCase()).digest(\"hex\").slice(0, 16)}`;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.ts","line":322,"snippet":"const host: CensysHost = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.ts","line":335,"snippet":"set(cacheKey, host, { prefix: CACHE_PREFIX, ttl: HOST_CACHE_TTL }).catch(() => {});","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.ts","line":336,"snippet":"return host;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.ts","line":372,"snippet":"analyzeHostExposures(host: CensysHost): CensysExposure[] {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.ts","line":396,"snippet":"for (const service of host.services) {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.ts","line":403,"snippet":"ip: host.ip,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/darkwatch/censys.client.ts","line":458,"snippet":"detail: `Certificate has known vulnerabilities: ${cert.vulnerabilities.join(\", \")}`,","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/darkwatch/digest.service.ts","line":269,"snippet":".join(\"\");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/darkwatch/digest.service.ts","line":283,"snippet":"${sections.join(\"\")}","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/darkwatch/digest.service.ts","line":307,"snippet":"return lines.join(\"\\n\");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/darkwatch/hibp.client.test.ts","line":243,"snippet":"Promise.resolve(","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/darkwatch/hibp.client.test.ts","line":263,"snippet":"Promise.resolve(","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/darkwatch/hibp.client.ts","line":177,"snippet":"res = await fetch(url, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/darkwatch/hibp.client.ts","line":254,"snippet":"res = await fetch(","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/darkwatch/hibp.client.ts","line":308,"snippet":"res = await fetch(`${this.baseUrl}/breaches`, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.test.ts","line":362,"snippet":"// Mock host search","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.test.ts","line":459,"snippet":"// Mock host lookup","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":321,"snippet":"// Censys scan — host search + certificate analysis","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":350,"snippet":"for (const host of hostResults.hosts) {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":351,"snippet":"// Analyze host for exposures","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":352,"snippet":"const exposures = censys.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":425,"snippet":"const host = await shodan.host(identifier);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":425,"snippet":"const host = await shodan.host(identifier);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":427,"snippet":"if (host) {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":428,"snippet":"const exposures = shodan.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":442,"snippet":"for (const host of searchResult.matches) {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":443,"snippet":"const exposures = shodan.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/scan.engine.ts","line":445,"snippet":"results.push(processScanResult(\"shodan\", exp, host.ip_str ?? identifier));","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/darkwatch/securitytrails.client.ts","line":196,"snippet":"const res = await fetch(url, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":119,"snippet":"// host","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":122,"snippet":"describe(\"host\", () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":123,"snippet":"it(\"returns detailed host info\", async () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":157,"snippet":"const result = await client.host(\"93.184.216.34\");","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":168,"snippet":"const result = await client.host(\"1.2.3.4\");","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":200,"snippet":"expect.stringContaining(\"/host/count\"),","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":212,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":220,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":227,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":236,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":243,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":257,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":264,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":277,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":284,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":297,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":304,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":317,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":325,"snippet":"const host = {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.test.ts","line":332,"snippet":"const exposures = client.analyzeHostExposures(host);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":169,"snippet":"const res = await fetch(url, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":208,"snippet":"const url = `${this.baseUrl}/host/search?key=${this.apiKey}&query=${encodeURIComponent(query)}&page=${page}`;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":222,"snippet":"// host — detailed host information by IP","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":222,"snippet":"// host — detailed host information by IP","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":225,"snippet":"async host(ip: string): Promise<ShodanHost | null> {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":226,"snippet":"const cacheKey = `host:${createHash(\"sha256\").update(ip.toLowerCase()).digest(\"hex\").slice(0, 16)}`;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":230,"snippet":"const url = `${this.baseUrl}/host/${encodeURIComponent(ip)}?key=${this.apiKey}`;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":251,"snippet":"const url = `${this.baseUrl}/host/count?key=${this.apiKey}&query=${encodeURIComponent(query)}`;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":263,"snippet":"analyzeHostExposures(host: ShodanHost): ShodanExposure[] {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":267,"snippet":"if (host.tags?.includes(\"tor\")) {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":271,"snippet":"detail: `IP ${host.ip_str} is a known Tor exit node`,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":272,"snippet":"ip: host.ip_str,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":277,"snippet":"if (host.tags?.includes(\"iot\")) {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":281,"snippet":"detail: `IoT device exposed: ${host.ip_str}${host.os ? ` (${host.os})` : \"\"}`,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":281,"snippet":"detail: `IoT device exposed: ${host.ip_str}${host.os ? ` (${host.os})` : \"\"}`,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":281,"snippet":"detail: `IoT device exposed: ${host.ip_str}${host.os ? ` (${host.os})` : \"\"}`,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":282,"snippet":"ip: host.ip_str,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":287,"snippet":"const portData = host.data ?? [];","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":295,"snippet":"detail: `Database ${port.product ?? \"service\"} exposed on port ${port.port} (${host.ip_str})`,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":296,"snippet":"ip: host.ip_str,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":311,"snippet":"detail: `Admin panel exposed: \"${port.http.title}\" on port ${port.port} (${host.ip_str})`,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":344,"snippet":"detail: `Service on port ${port.port} has known vulnerabilities: ${port.vulns.join(\", \")}`,","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/darkwatch/shodan.client.ts","line":381,"snippet":"detail: `Host ${host.ip_str} has vulnerabilities: ${newVulns.join(\", \")}`,","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/family.service.ts","line":1139,"snippet":"message: `This action requires one of these roles: ${allowedRoles.join(\", \")}`,","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/hometitle/attom.client.ts","line":228,"snippet":"const res = await fetch(url, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/hometitle/county-scrapers/rate-limiter.ts","line":16,"snippet":"* Resolves when it's safe to make the request (respects per-county interval).","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/hometitle/county-scrapers/rate-limiter.ts","line":42,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/hometitle/county-scrapers/rate-limiter.ts","line":47,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/hometitle/county-scrapers/rate-limiter.ts","line":63,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/hometitle/scanner.ts","line":320,"snippet":"const res = await fetch(url);","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/removebrokers/adapter-health.ts","line":188,"snippet":"`Broken: ${failingAdapters.filter((a) => a.status === \"broken\").map((a) => a.brokerName).join(\", \")}`;","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/removebrokers/adapters/base.ts","line":150,"snippet":"? Promise.resolve({ state: Notification.permission } as PermissionStatus)","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/removebrokers/adapters/base.ts","line":172,"snippet":"const baseDir = path.resolve(screenshotsDir);","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/removebrokers/adapters/base.ts","line":175,"snippet":"const fullPath = path.join(baseDir, filename);","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"weak-token-or-crypto","description":"Token, JWT, randomness, or crypto usage that deserves review.","noise":"normal","filePath":"web/src/server/services/removebrokers/adapters/base.ts","line":316,"snippet":"await el.type(value, { delay: 50 + Math.random() * 50 });","matchedPattern":"weak random","score":55,"source":"builtin"}
+{"slug":"weak-token-or-crypto","description":"Token, JWT, randomness, or crypto usage that deserves review.","noise":"normal","filePath":"web/src/server/services/removebrokers/adapters/base.ts","line":331,"snippet":"await new Promise((r) => setTimeout(r, 200 + Math.random() * 300));","matchedPattern":"weak random","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/removebrokers/adapters/beenverified.ts","line":51,"snippet":"await this.fillField('input[name=\"lastName\"], input[placeholder*=\"Last\"]', nameParts.slice(1).join(\" \"));","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/removebrokers/adapters/whitepages.ts","line":62,"snippet":"const lastName = this.config.personalInfo.fullName.split(\" \").slice(1).join(\" \");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/removebrokers/captcha-solver.ts","line":169,"snippet":"const submitResponse = await fetch(submitUrl, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/removebrokers/captcha-solver.ts","line":192,"snippet":"const resultResponse = await fetch(resultUrl, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/removebrokers/captcha-solver.ts","line":492,"snippet":"const response = await fetch(","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/removebrokers/email-verifier.ts","line":137,"snippet":"fetch(","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/services/removebrokers/email-verifier.ts","line":153,"snippet":"host: config.imapHost!,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/removebrokers/email-verifier.ts","line":169,"snippet":"for await (const msg of client.fetch(","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/removebrokers/email-verifier.ts","line":396,"snippet":"// Find the best matching request (by domain or name)","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":9,"snippet":"const TEMPLATES_DIR = join(__dirname, \"templates\");","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":10,"snippet":"const REPORTS_DIR = join(process.cwd(), \"reports\");","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":158,"snippet":".join(\"\\n\");","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":221,"snippet":"return items.join(\"\\n\");","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":231,"snippet":"return readFileSync(join(TEMPLATES_DIR, filename), \"utf-8\");","matchedPattern":"file read/write","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":231,"snippet":"return readFileSync(join(TEMPLATES_DIR, filename), \"utf-8\");","matchedPattern":"path join","score":55,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":268,"snippet":"const userDir = join(REPORTS_DIR, userId);","matchedPattern":"path join","score":55,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":272,"snippet":"const filePath = join(userDir, filename);","matchedPattern":"path join","score":55,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":273,"snippet":"writeFileSync(filePath, pdfBuffer);","matchedPattern":"file read/write","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":312,"snippet":"const userDir = join(REPORTS_DIR, userId);","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":316,"snippet":"const filePath = join(userDir, filename);","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/reports/generator.ts","line":317,"snippet":"writeFileSync(filePath, pdfBuffer);","matchedPattern":"file read/write","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":138,"snippet":"const vocabPath = path.join(configPath, \"vocab.txt\");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":139,"snippet":"const tokenizerConfigPath = path.join(configPath, \"tokenizer_config.json\");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":144,"snippet":"const vocabText = fs.readFileSync(vocabPath, \"utf-8\");","matchedPattern":"file read/write","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":158,"snippet":"const configData = JSON.parse(fs.readFileSync(tokenizerConfigPath, \"utf-8\"));","matchedPattern":"file read/write","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":255,"snippet":"const DEFAULT_MODEL_DIR = path.join(__dirname, \"..\", \"..\", \"models\", \"spam-classifier\");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":269,"snippet":"const metadataPath = path.join(modelDir, \"model_metadata.json\");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":271,"snippet":"modelState.metadata = JSON.parse(fs.readFileSync(metadataPath, \"utf-8\"));","matchedPattern":"file read/write","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":280,"snippet":"const modelPath = path.join(modelDir, \"model.onnx\");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":283,"snippet":"const modelDataPath = path.join(modelDir, \"model.onnx.data\");","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":291,"snippet":"console.log(`[spamshield] Inputs: ${modelState.session.inputNames.join(\", \")}`);","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/onnx.inference.ts","line":292,"snippet":"console.log(`[spamshield] Outputs: ${modelState.session.outputNames.join(\", \")}`);","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/spamshield/twilio.client.ts","line":246,"snippet":"const response = await fetch(url, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/spamshield/twilio.client.ts","line":280,"snippet":"const url = `https://lookups.twilio.com/v1/PhoneNumbers/${encodeURIComponent(phoneNumber)}?Type=${types.join(\"&Type=\")}`;","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/spamshield/twilio.client.ts","line":282,"snippet":"const response = await fetch(url, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.test.ts","line":35,"snippet":"Promise.resolve({","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.test.ts","line":63,"snippet":"text: () => Promise.resolve('{\"error\": {\"code\": \"Unauthorized\"}}'),","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.test.ts","line":75,"snippet":"Promise.resolve({","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.test.ts","line":106,"snippet":"Promise.resolve({","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.test.ts","line":126,"snippet":"Promise.resolve({","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.test.ts","line":166,"snippet":"json: () => Promise.resolve(profiles),","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.test.ts","line":179,"snippet":"Promise.resolve({","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.test.ts","line":203,"snippet":"Promise.resolve({","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.test.ts","line":239,"snippet":"json: () => Promise.resolve([]),","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"ssrf-capable-request","description":"Outbound HTTP request site that may be attacker-controlled.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.ts","line":116,"snippet":"const response = await fetch(url, {","matchedPattern":"fetch/http client","score":55,"source":"builtin"}
+{"slug":"raw-sql-query","description":"Raw SQL construction or query execution that may need parameterization review.","noise":"normal","filePath":"web/src/server/services/voiceprint/azure.client.ts","line":206,"snippet":"return this.request<void>(\"DELETE\", `/profiles/${profileId}`);","matchedPattern":"sql keyword string","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/storage.test.ts","line":12,"snippet":"testDir = mkdtempSync(join(tmpdir(), \"vp-storage-test-\"));","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/storage.test.ts","line":52,"snippet":"const dir = join(testDir, \"uploads\", \"voiceprint\", userId);","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/storage.test.ts","line":67,"snippet":"const filePath = join(testDir, \"test.wav\");","matchedPattern":"path join","score":55,"source":"builtin"}
@@ -1387,10 +1644,43 @@
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/storage.ts","line":23,"snippet":"const filePath = join(userDir, `${hash}.wav`);","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/storage.ts","line":24,"snippet":"await writeFile(filePath, audioBuffer);","matchedPattern":"file read/write","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/services/voiceprint/storage.ts","line":41,"snippet":"const filePath = join(getUserDir(userId), `${audioHash}.wav`);","matchedPattern":"path join","score":55,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/websocket.ts","line":139,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/websocket.ts","line":145,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/websocket.ts","line":201,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
-{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/websocket.ts","line":213,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":23,"snippet":"origin: string;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":73,"snippet":"describe(\"WebSocket Origin validation\", () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":92,"snippet":"it(\"should accept connection from trusted localhost origin\", () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":95,"snippet":"origin: \"http://localhost:3000\",","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":101,"snippet":"it(\"should accept connection from trusted 127.0.0.1 origin\", () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":104,"snippet":"origin: \"http://127.0.0.1:3000\",","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":110,"snippet":"it(\"should reject connection from untrusted origin\", () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":113,"snippet":"origin: \"https://evil.com\",","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":119,"snippet":"it(\"should reject connection without origin header\", () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":122,"snippet":"origin: \"\",","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":123,"snippet":"req: { headers: { origin: \"\" } },","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":128,"snippet":"it(\"should reject connection with wildcard origin\", () => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":132,"snippet":"origin: wildcardOrigin,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":141,"snippet":"origin: \"ws://localhost:3000\",","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":152,"snippet":"origin: \"http://localhost:3000\",","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.test.ts","line":161,"snippet":"origin: \"not-a-valid-url://\",","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":18,"snippet":"// Validate APP_URL before trusting it as a WebSocket origin","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":34,"snippet":"for (const origin of explicit.split(\",\").map((o) => o.trim())) {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":35,"snippet":"if (origin) origins.push(origin);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":35,"snippet":"if (origin) origins.push(origin);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":43,"snippet":"* Validates the Origin header against the trusted origins allowlist.","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":47,"snippet":"origin: string | undefined,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":50,"snippet":"if (!origin || !origin.trim()) return false;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":50,"snippet":"if (!origin || !origin.trim()) return false;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":51,"snippet":"return trustedOrigins.includes(origin);","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/websocket.ts","line":266,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":273,"snippet":"verifyClient: (info: { origin: string; req: IncomingMessage }) => {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":274,"snippet":"const origin = info.req.headers.origin ?? info.origin;","matchedPattern":"request header read","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":274,"snippet":"const origin = info.req.headers.origin ?? info.origin;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":274,"snippet":"const origin = info.req.headers.origin ?? info.origin;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":274,"snippet":"const origin = info.req.headers.origin ?? info.origin;","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":275,"snippet":"if (!isTrustedOrigin(origin, TRUSTED_ORIGINS)) {","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":277,"snippet":"`[websocket] Rejected untrusted origin: ${origin ?? \"(none)\"}`,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"hidden-control-channel","description":"Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.","noise":"normal","filePath":"web/src/server/websocket.ts","line":277,"snippet":"`[websocket] Rejected untrusted origin: ${origin ?? \"(none)\"}`,","matchedPattern":"proxy or original request header","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/websocket.ts","line":286,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/websocket.ts","line":383,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/src/server/websocket.ts","line":395,"snippet":"resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/test/__mocks__/drizzle-orm-libsql-migrator.js","line":2,"snippet":"return Promise.resolve();","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/test/__mocks__/drizzle-orm-libsql.js","line":5,"snippet":"where: () => ({ limit: () => Promise.resolve([]) }),","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/test/__mocks__/drizzle-orm-libsql.js","line":9,"snippet":"values: () => ({ returning: () => Promise.resolve([{ id: \"mock-id\" }]) }),","matchedPattern":"path join","score":55,"source":"builtin"}
@@ -1405,8 +1695,9 @@
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/vitest.config.ts","line":54,"snippet":"{ find: /^drizzle-orm\\/libsql$/, replacement: resolve(mocksDir, \"drizzle-orm-libsql.js\") },","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/vitest.config.ts","line":55,"snippet":"{ find: /^drizzle-orm\\/sqlite-core$/, replacement: resolve(mocksDir, \"drizzle-orm-sqlite-core.js\") },","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/vitest.config.ts","line":56,"snippet":"{ find: /^drizzle-orm$/, replacement: resolve(mocksDir, \"drizzle-orm.js\") },","matchedPattern":"path join","score":55,"source":"builtin"}
+{"slug":"path-traversal-file-access","description":"Filesystem access using path joins or user-controllable paths.","noise":"normal","filePath":"web/vitest.node.config.ts","line":12,"snippet":"{ find: \"~\", replacement: resolve(__dirname, \"./src\") },","matchedPattern":"path join","score":55,"source":"builtin"}
 {"slug":"public-entrypoint","description":"Public route, handler, controller, workflow, or operation entry point.","noise":"noisy","filePath":"web/src/routes/api/stripe/session-status.ts","line":6,"snippet":"const sessionId = url.searchParams.get(\"session_id\");","matchedPattern":"http route","score":54,"source":"builtin"}
-{"slug":"public-entrypoint","description":"Public route, handler, controller, workflow, or operation entry point.","noise":"noisy","filePath":"web/src/routes/api/stripe/webhook.ts","line":7,"snippet":"const signature = event.request.headers.get(\"stripe-signature\");","matchedPattern":"http route","score":54,"source":"builtin"}
+{"slug":"public-entrypoint","description":"Public route, handler, controller, workflow, or operation entry point.","noise":"noisy","filePath":"web/src/routes/api/stripe/webhook.ts","line":25,"snippet":"const signature = event.request.headers.get(\"stripe-signature\");","matchedPattern":"http route","score":54,"source":"builtin"}
 {"slug":"public-entrypoint","description":"Public route, handler, controller, workflow, or operation entry point.","noise":"noisy","filePath":"web/src/server/api/trpc.ts","line":15,"snippet":"const cookieHeader = req.headers.get(\"cookie\") ?? \"\";","matchedPattern":"http route","score":38,"source":"builtin"}
 {"slug":"public-entrypoint","description":"Public route, handler, controller, workflow, or operation entry point.","noise":"noisy","filePath":"web/src/server/api/trpc.ts","line":52,"snippet":"const authHeader = req.headers.get(\"authorization\");","matchedPattern":"http route","score":38,"source":"builtin"}
 {"slug":"public-entrypoint","description":"Public route, handler, controller, workflow, or operation entry point.","noise":"noisy","filePath":"web/src/server/api/trpc.ts","line":65,"snippet":"apiKey = req.headers.get(\"x-api-key\") ?? null;","matchedPattern":"http route","score":38,"source":"builtin"}
--- a/piolium/attack-surface/lite-recon.md
+++ b/piolium/attack-surface/lite-recon.md
@@ -1,42 +1,42 @@
 # Lite Recon — Q0

-Generated by piolium at 2026-05-28T13:00:30.024Z
+Generated by piolium at 2026-06-01T14:22:02.616Z

 ## Target

 - Path: `/Users/mike/Code/Kordant`
 - Repository: (unknown)
- Total files (scanned): 1039
- Total bytes (scanned): 5.3 MB
+- Total files (scanned): 1232
+- Total bytes (scanned): 514.4 MB

 ## Git

- Commit: 26d9f8b050969dfaa2c9dfb714a872160b7db382
+- Commit: ba73daa66c6ff24f79e25dfba380cbfb50c463ac
 - Branch: master
 - History available: true

 Recent commits:

 ```
+ba73daa deep research addressement
+c159f07 shortcommings
+3b29de3 security sweep
+469c28f security audit fix start
 26d9f8b clear references
 1e1773c oof
 5214412 get to prod tasks
 04e8396 fix landing scroll
 3bcbdae fix stripe configuration
 7260975 clear old assets, new ci/cd flow
-8281500 mostly android
-9ee3d53 final
-aacb800 name refactor
-8ac2ce5 reduced nesting
 ```

 ## Languages

- TypeScript: 279 file(s)
+- TypeScript: 400 file(s)
 - Kotlin: 98 file(s)
- Swift: 76 file(s)
+- Swift: 83 file(s)
 - Java: 72 file(s)
- Python: 56 file(s)
+- Python: 57 file(s)
 - JavaScript: 25 file(s)
 - C#: 21 file(s)
 - Ruby: 19 file(s)
@@ -44,6 +44,7 @@ aacb800 name refactor
 - Go: 10 file(s)
 - Shell: 8 file(s)
 - C++: 4 file(s)
+- SQL: 2 file(s)

 ## Build / Project Manifests