Update triage state with latest issue reviews and actions

[BodenMcHale]

Summary

This update reflects the latest triage automation run, capturing new issue actions and skipped items based on recent substantive reviews.

Key Changes

• New action recorded: Issue [REVIEW] Permissions-Policy: recommendations always populated — spurious "Fix:" output when status is good #22 - Identified test gap and CLI output bug in recommendations array handling at src/rules.ts:141, with proposed one-line ternary fix
• Expanded skip list: Added 9 new skipped issues ([REVIEW] Cross-Origin Policies: scored by presence only — unsafe-none / cross-origin get full credit #8, [REVIEW] Permissions-Policy tests: 4 assertions broken by merge regression — main branch CI is red #15, [REVIEW] CSP: wildcard (*) detection covers only default-src and script-src — connect-src *, form-action *, and mid-policy wildcards silently pass #16, [REVIEW] HSTS: max-age=0 (HSTS revocation) scores status 'good' due to bonus points from includeSubDomains and preload #17, [REVIEW] Referrer-Policy: no-referrer-when-downgrade classified as "strong" — awards full score for the historical browser default that leaks full URLs cross-origin #18, [REVIEW] CSP: missing form-action directive not flagged — default-src 'self' leaves form submissions unrestricted #19, [REVIEW] CSP: Content-Security-Policy-Report-Only is invisible to the analyzer — report-only deployments score 0/30 as if no CSP exists #20, [REVIEW] CSP: 'unsafe-inline' penalized even when 'strict-dynamic' + nonce is present — false positive flags a recommended strict CSP pattern #21, [REVIEW] X-Frame-Options: checkXFrameOptions awards 15/15 "good" for any frame-ancestors value — including frame-ancestors * which provides zero clickjacking protection #23) that received recent substantive triage reviews from BodenMcHale, all within the 48-hour skip window
• Updated metadata: Last run timestamp advanced to 2026-05-26T12:00:00Z with new commit hash

Notable Details

The skipped issues cover a range of CSP analyzer improvements including:

• Presence-only scoring logic (issues [REVIEW] Cross-Origin Policies: scored by presence only — unsafe-none / cross-origin get full credit #8, [REVIEW] X-Frame-Options: checkXFrameOptions awards 15/15 "good" for any frame-ancestors value — including frame-ancestors * which provides zero clickjacking protection #23)
• Regex pattern refinements (issue [REVIEW] CSP: wildcard (*) detection covers only default-src and script-src — connect-src *, form-action *, and mid-policy wildcards silently pass #16)
• Scoring bonus handling (issue [REVIEW] HSTS: max-age=0 (HSTS revocation) scores status 'good' due to bonus points from includeSubDomains and preload #17)
• Missing directive checks (issue [REVIEW] CSP: missing form-action directive not flagged — default-src 'self' leaves form submissions unrestricted #19)
• Report-Only header handling (issue [REVIEW] CSP: Content-Security-Policy-Report-Only is invisible to the analyzer — report-only deployments score 0/30 as if no CSP exists #20)
• False positive fixes for strict-dynamic+nonce (issue [REVIEW] CSP: 'unsafe-inline' penalized even when 'strict-dynamic' + nonce is present — false positive flags a recommended strict CSP pattern #21)
• Test failure tracking (issue [REVIEW] Permissions-Policy tests: 4 assertions broken by merge regression — main branch CI is red #15)

All skipped items have documented timestamps and specific code locations referenced in their review comments.

https://claude.ai/code/session_015heuhDGVdtq6M7e4q8vgPj