Update review state with new findings and clean areas

[BodenMcHale]

This PR updates the code review state tracking file with the latest analysis results from the automated review run.

Summary

Updated .claude/review-state.json to reflect a new review cycle completed at 2026-05-26T05:00:00Z, documenting one newly filed issue and additional areas verified as working correctly.

Key Changes

• New filed issue [REVIEW] Permissions-Policy: recommendations always populated — spurious "Fix:" output when status is good #22: Identified that checkPermissionsPolicy in src/rules.ts:141 returns a non-empty recommendations array even when the status is good, causing spurious "Fix:" output in the CLI. This is inconsistent with all other check functions which return empty recommendations for the good path.
• New runner-up finding: Documented that checkCSP does not detect the unsafe-hashes keyword, missing event-handler attribute injection penalties (score: 6.05, deprioritized below issue [REVIEW] Permissions-Policy: recommendations always populated — spurious "Fix:" output when status is good #22).
• Expanded clean areas verification: Added confirmation that the following areas are functioning correctly:
  • fetch.ts: AbortController timeout implementation with proper timer cleanup
  • analyzer.ts: Grade calculation and percentage rounding logic
  • index.ts: Correct dispatch between URL-fetch and header-object analysis paths
  • cli.ts: Exit code gating (D or F grades trigger exit code 1) matches documented CI behavior

Notes

The review identified a consistency issue in the Permissions-Policy check function where it violates the established pattern of returning empty recommendations for passing checks, which could confuse users with false positive remediation suggestions.

https://claude.ai/code/session_01VYcnkdojpyN6Am3NZ4mAuN