@clear-capabilities/agentic-security-scanner 0.74.0

package/src/integrations/.agentic-security/findings.json

@@ -0,0 +1,1504 @@
+{
+  "scanId": "25ac4913-94b8-4713-a870-a7e371a6540e",
+  "startedAt": "2026-05-18T17:50:17.286Z",
+  "durationMs": 109,
+  "scanned": {
+    "files": 2,
+    "lines": 0
+  },
+  "findings": [
+    {
+      "id": "struct:index.js:23:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
+      "owaspLlm": null,
+      "stride": "Denial of Service",
+      "file": "index.js",
+      "line": 23,
+      "snippet": "if (!fs.existsSync(fp)) return {};",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": null,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `index.js:23` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      }
+    },
+    {
+      "id": "struct:index.js:24:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
+      "owaspLlm": null,
+      "stride": "Denial of Service",
+      "file": "index.js",
+      "line": 24,
+      "snippet": "try { return yaml.load(fs.readFileSync(fp, 'utf8')) || {}; }",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": null,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `index.js:24` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      }
+    },
+    {
+      "id": "struct:tickets.js:26:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
+      "owaspLlm": null,
+      "stride": "Denial of Service",
+      "file": "tickets.js",
+      "line": 26,
+      "snippet": "if (!fs.existsSync(fp)) return {};",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": null,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tickets.js:26` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      }
+    },
+    {
+      "id": "struct:tickets.js:27:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
+      "owaspLlm": null,
+      "stride": "Denial of Service",
+      "file": "tickets.js",
+      "line": 27,
+      "snippet": "try { return JSON.parse(fs.readFileSync(fp, 'utf8')); } catch { return {}; }",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": null,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tickets.js:27` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      }
+    },
+    {
+      "id": "struct:tickets.js:31:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
+      "owaspLlm": null,
+      "stride": "Denial of Service",
+      "file": "tickets.js",
+      "line": 31,
+      "snippet": "fs.writeFileSync(statePath(scanRoot), JSON.stringify(state, null, 2));",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": null,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tickets.js:31` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      }
+    },
+    {
+      "id": "struct:tickets.js:146:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
+      "owaspLlm": null,
+      "stride": "Denial of Service",
+      "file": "tickets.js",
+      "line": 146,
+      "snippet": "if (!fs.existsSync(lastScanPath)) return { ok: false, error: 'no last-scan.json — run a scan first' };",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": null,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tickets.js:146` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      }
+    },
+    {
+      "id": "struct:tickets.js:147:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
+      "owaspLlm": null,
+      "stride": "Denial of Service",
+      "file": "tickets.js",
+      "line": 147,
+      "snippet": "const last = JSON.parse(fs.readFileSync(lastScanPath, 'utf8'));",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": null,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tickets.js:147` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      }
+    },
+    {
+      "id": "b4961817017f5422",
+      "kind": "logic",
+      "severity": "medium",
+      "vuln": "Timing Oracle — Non-Constant-Time Secret Comparison",
+      "cwe": "CWE-208",
+      "stride": "Information Disclosure",
+      "file": "index.js",
+      "line": 81,
+      "snippet": "if (!url || process.env.AGENTIC_SECURITY_OFFLINE === '1') return { ok: false, reason: 'offline-or-no-url' };",
+      "fix": {
+        "description": "Use crypto.timingSafeEqual() for all comparisons involving secrets or API keys.",
+        "code": "// BEFORE\nif (req.headers['x-api-key'] === process.env.API_KEY) { ... }\n\n// AFTER\nconst a = Buffer.from(req.headers['x-api-key'] || '');\nconst b = Buffer.from(process.env.API_KEY || '');\nif (a.length !== b.length || !crypto.timingSafeEqual(a, b)) return res.status(401);"
+      },
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "credentials"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 24000,
+        "dollarLikely": 138000,
+        "dollarWorst": 777500,
+        "dollarLow": 24000,
+        "dollarHigh": 777500,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 1000,
+            "likely": 3000,
+            "high": 12500
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
+        "confidence": "low",
+        "narrative": "Timing Oracle — Non-Constant-Time Secret Comparison on `index.js:81` could expose production credentials and API keys. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $24k · likely $138k · worst $778k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+      }
+    },
+    {
+      "id": "631940e0604686a0",
+      "kind": "logic",
+      "severity": "medium",
+      "vuln": "Missing Timeout on Outbound HTTP Request (DoS)",
+      "cwe": "CWE-400",
+      "stride": "Denial of Service",
+      "file": "index.js",
+      "line": 83,
+      "snippet": "const res = await fetch(url, {",
+      "fix": {
+        "description": "Set a timeout on all outbound requests to prevent event-loop starvation from stalled upstreams.",
+        "code": "// fetch (Node 18+)\nconst resp = await fetch(url, { signal: AbortSignal.timeout(5000) });\n\n// axios\nawait axios.get(url, { timeout: 5000 });\n\n// node http\nconst req = http.get(url, cb);\nreq.setTimeout(5000, () => req.destroy());"
+      },
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Missing Timeout on Outbound HTTP Request (DoS) on `index.js:83` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      }
+    },
+    {
+      "id": "a59efade4197e6b8",
+      "kind": "logic",
+      "severity": "medium",
+      "vuln": "Missing Timeout on Outbound HTTP Request (DoS)",
+      "cwe": "CWE-400",
+      "stride": "Denial of Service",
+      "file": "index.js",
+      "line": 192,
+      "snippet": "const r = await fetch(url, {",
+      "fix": {
+        "description": "Set a timeout on all outbound requests to prevent event-loop starvation from stalled upstreams.",
+        "code": "// fetch (Node 18+)\nconst resp = await fetch(url, { signal: AbortSignal.timeout(5000) });\n\n// axios\nawait axios.get(url, { timeout: 5000 });\n\n// node http\nconst req = http.get(url, cb);\nreq.setTimeout(5000, () => req.destroy());"
+      },
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Missing Timeout on Outbound HTTP Request (DoS) on `index.js:192` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      }
+    },
+    {
+      "id": "70f13848a5590cd0",
+      "kind": "logic",
+      "severity": "medium",
+      "vuln": "Missing Timeout on Outbound HTTP Request (DoS)",
+      "cwe": "CWE-400",
+      "stride": "Denial of Service",
+      "file": "index.js",
+      "line": 237,
+      "snippet": "const r = await fetch('https://events.pagerduty.com/v2/enqueue', {",
+      "fix": {
+        "description": "Set a timeout on all outbound requests to prevent event-loop starvation from stalled upstreams.",
+        "code": "// fetch (Node 18+)\nconst resp = await fetch(url, { signal: AbortSignal.timeout(5000) });\n\n// axios\nawait axios.get(url, { timeout: 5000 });\n\n// node http\nconst req = http.get(url, cb);\nreq.setTimeout(5000, () => req.destroy());"
+      },
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Missing Timeout on Outbound HTTP Request (DoS) on `index.js:237` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      }
+    },
+    {
+      "id": "76866788c737e89b",
+      "kind": "logic",
+      "severity": "medium",
+      "vuln": "Missing Timeout on Outbound HTTP Request (DoS)",
+      "cwe": "CWE-400",
+      "stride": "Denial of Service",
+      "file": "index.js",
+      "line": 291,
+      "snippet": "const r = await fetch(url, {",
+      "fix": {
+        "description": "Set a timeout on all outbound requests to prevent event-loop starvation from stalled upstreams.",
+        "code": "// fetch (Node 18+)\nconst resp = await fetch(url, { signal: AbortSignal.timeout(5000) });\n\n// axios\nawait axios.get(url, { timeout: 5000 });\n\n// node http\nconst req = http.get(url, cb);\nreq.setTimeout(5000, () => req.destroy());"
+      },
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Missing Timeout on Outbound HTTP Request (DoS) on `index.js:291` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      }
+    },
+    {
+      "id": "logic:index.js:23:TOCTOU:_existsSync_followed_by_file_op",
+      "kind": "logic",
+      "severity": "medium",
+      "vuln": "TOCTOU: existsSync followed by file op",
+      "cwe": "CWE-367",
+      "stride": "Tampering",
+      "file": "index.js",
+      "line": 23,
+      "snippet": "if (!fs.existsSync(fp)) return {};",
+      "fix": {
+        "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
+        "code": ""
+      },
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
+        "confidence": "low",
+        "narrative": "TOCTOU: existsSync followed by file op on `index.js:23` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+      }
+    },
+    {
+      "id": "a4b3b5acbb4ac145",
+      "kind": "logic",
+      "severity": "medium",
+      "vuln": "Missing Timeout on Outbound HTTP Request (DoS)",
+      "cwe": "CWE-400",
+      "stride": "Denial of Service",
+      "file": "tickets.js",
+      "line": 76,
+      "snippet": "const res = await fetch('https://api.linear.app/graphql', {",
+      "fix": {
+        "description": "Set a timeout on all outbound requests to prevent event-loop starvation from stalled upstreams.",
+        "code": "// fetch (Node 18+)\nconst resp = await fetch(url, { signal: AbortSignal.timeout(5000) });\n\n// axios\nawait axios.get(url, { timeout: 5000 });\n\n// node http\nconst req = http.get(url, cb);\nreq.setTimeout(5000, () => req.destroy());"
+      },
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Missing Timeout on Outbound HTTP Request (DoS) on `tickets.js:76` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      }
+    },
+    {
+      "id": "e2b4be44e7646253",
+      "kind": "logic",
+      "severity": "medium",
+      "vuln": "Missing Timeout on Outbound HTTP Request (DoS)",
+      "cwe": "CWE-400",
+      "stride": "Denial of Service",
+      "file": "tickets.js",
+      "line": 112,
+      "snippet": "const res = await fetch(`${base.replace(/\\/$/, '')}${urlPath}`, {",
+      "fix": {
+        "description": "Set a timeout on all outbound requests to prevent event-loop starvation from stalled upstreams.",
+        "code": "// fetch (Node 18+)\nconst resp = await fetch(url, { signal: AbortSignal.timeout(5000) });\n\n// axios\nawait axios.get(url, { timeout: 5000 });\n\n// node http\nconst req = http.get(url, cb);\nreq.setTimeout(5000, () => req.destroy());"
+      },
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Missing Timeout on Outbound HTTP Request (DoS) on `tickets.js:112` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      }
+    },
+    {
+      "id": "logic:tickets.js:26:TOCTOU:_existsSync_followed_by_file_op",
+      "kind": "logic",
+      "severity": "medium",
+      "vuln": "TOCTOU: existsSync followed by file op",
+      "cwe": "CWE-367",
+      "stride": "Tampering",
+      "file": "tickets.js",
+      "line": 26,
+      "snippet": "if (!fs.existsSync(fp)) return {};",
+      "fix": {
+        "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
+        "code": ""
+      },
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
+        "confidence": "low",
+        "narrative": "TOCTOU: existsSync followed by file op on `tickets.js:26` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+      }
+    },
+    {
+      "id": "logic:tickets.js:146:TOCTOU:_existsSync_followed_by_file_op",
+      "kind": "logic",
+      "severity": "medium",
+      "vuln": "TOCTOU: existsSync followed by file op",
+      "cwe": "CWE-367",
+      "stride": "Tampering",
+      "file": "tickets.js",
+      "line": 146,
+      "snippet": "if (!fs.existsSync(lastScanPath)) return { ok: false, error: 'no last-scan.json — run a scan first' };",
+      "fix": {
+        "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
+        "code": ""
+      },
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
+        "confidence": "low",
+        "narrative": "TOCTOU: existsSync followed by file op on `tickets.js:146` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+      }
+    }
+  ],
+  "bundles": [],
+  "routes": [],
+  "components": [],
+  "suppressedCount": 0,
+  "blastRadiusSignals": {
+    "industry": "generic",
+    "industryConfidence": "low",
+    "jurisdictions": [],
+    "controls": [],
+    "estimatedUsers": 50,
+    "revenueIndicator": "pre-revenue",
+    "hasStripe": false,
+    "hasAuth": false,
+    "hasUserTable": false,
+    "hasPII": false,
+    "hasPHI": false,
+    "hasS3": false
+  }
+}