Skip to content

Update review state with new findings and clean areas #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
BodenMcHale wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Update review state with new findings and clean areas #27

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d663bc7
chore: review state update 2026-05-26 (issue #17)
claude May 26, 2026
b1baef1
chore: update package-lock.json after npm install
claude May 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 31 additions & 3 deletions .claude/review-state.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"last_run": "2026-05-26T00:55:00Z",
"last_commit": "5083c52b64190381eadbb9f0c13b42e52c358a5a",
"last_run": "2026-05-26T03:13:00Z",
"last_commit": "81f8735d167b597ed7a7a88cc7f89ba0b440b07d",
"filed": [
{
"issue": 8,
Expand All @@ -14,6 +14,19 @@
"evidence_quality": 10
},
"timestamp": "2026-05-26T00:55:00Z"
},
{
"issue": 17,
"title": "[REVIEW] HSTS: max-age=0 (HSTS revocation) scores status 'good' due to bonus points from includeSubDomains and preload",
"finding": "checkHSTS awards includeSubDomains (+3) and preload (+2) bonus points regardless of max-age value; with max-age=0 (HSTS revocation) + includeSubDomains + preload the total is 15/20 and status 'good', contradicting the revocation semantics of max-age=0.",
"score": 6.9,
"score_breakdown": {
"user_impact": 5,
"security_severity": 7,
"implementation_effort": 9,
"evidence_quality": 9
},
"timestamp": "2026-05-26T03:13:00Z"
}
],
"runner_ups": [
Expand Down Expand Up @@ -52,13 +65,28 @@
"score": 7.9,
"reason_not_filed": "duplicate of open issue #5",
"timestamp": "2026-05-26T00:55:00Z"
},
{
"finding": "4 tests in test/analyzer.test.ts fail on HEAD 81f8735: 3 checkPermissionsPolicy tests have stale score expectations (expect 10, code returns 5) and A+ grade boundary test fails because permissions-policy fixture only restricts camera=(), earning 5/10 instead of 10/10.",
"score": 8.4,
"reason_not_filed": "duplicate of open issue #15 filed by earlier run in same session",
"timestamp": "2026-05-26T03:13:00Z"
},
{
"finding": "Feature-Policy fallback in checkPermissionsPolicy applies Permissions-Policy substring syntax (camera=()) to Feature-Policy header values, which use different syntax (camera 'none'), making the fallback unable to distinguish restrictive from permissive Feature-Policy values.",
"score": 6.55,
"reason_not_filed": "closely related to and addressed within open issue #15",
"timestamp": "2026-05-26T03:13:00Z"
}
],
"clean_areas": [
"package.json exports/main/types/bin fields are correctly configured",
"tsconfig.json strict mode is enabled",
"CI workflows (ci.yml, publish.yml, auto-tag.yml) are sound",
"X-Content-Type-Options check (rules.ts:93-104) — values correctly validated",
"X-Frame-Options check (rules.ts:73-91) — accepts DENY/SAMEORIGIN and CSP frame-ancestors fallback as expected"
"X-Frame-Options check (rules.ts:73-91) — accepts DENY/SAMEORIGIN and CSP frame-ancestors fallback as expected",
"checkHSTS max-age parsing — correctly extracts numeric value via regex, handles missing max-age as 0",
"analyzeHeaders score aggregation — header scores correctly sum to report total",
"CLI --timeout argument parsing — correctly threads FetchOptions to analyze()"
]
}
39 changes: 0 additions & 39 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.