@clear-capabilities/agentic-security-scanner 0.74.0

package/src/llm-validator/.agentic-security/findings.json

@@ -0,0 +1,1891 @@
+{
+  "scanId": "e4d8ca5c-18e9-436d-8778-68c3e6feb632",
+  "startedAt": "2026-05-20T12:29:43.643Z",
+  "durationMs": 133,
+  "scanned": {
+    "files": 2,
+    "lines": 0
+  },
+  "findings": [
+    {
+      "id": "prompt-tpl:index.js:57:Prompt_Template__user_input_interpolated_into_prompt_string_",
+      "kind": "sast",
+      "severity": "high",
+      "vuln": "Prompt Template: user input interpolated into prompt string without isolation",
+      "cwe": "CWE-1336",
+      "owaspLlm": null,
+      "stride": "Spoofing",
+      "file": "index.js",
+      "line": 57,
+      "snippet": "const PROMPT_TEMPLATE = `You are a senior application security engineer reviewing a candidate finding from a static analysis tool.",
+      "fix": {
+        "description": "Prefer the messages array form: `messages=[{\"role\":\"system\",\"content\":SYS},{\"role\":\"user\",\"content\":user_input}]`. Or wrap interpolations with isolation markers and instruct the model to treat content inside them as data only.",
+        "code": ""
+      },
+      "reachable": false,
+      "triage": 39,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.314,
+      "toxicity": 15,
+      "toxicityFactors": [
+        "high-severity"
+      ],
+      "toxicityLabel": "Low",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Server-side template injection (Pug/Jinja2/Twig) → routine path to RCE",
+        "confidence": "low",
+        "narrative": "Prompt Template: user input interpolated into prompt string without isolation on `index.js:57` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Server-side template injection (Pug/Jinja2/Twig) → routine path to RCE."
+      },
+      "stableId": "36003f350e48e148",
+      "confidenceTier": "low",
+      "exploitability": 0.45,
+      "exploitabilityTier": "medium",
+      "exploitabilityFactors": [
+        "sev:high",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "prompt-template-user-input-interpolated-",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 0,
+      "calibration_reason": "no-history",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": "A finding of type \"Prompt Template: user input interpolated into prompt string without isolation\" at index.js:57. Severity: high. Review the remediation field for class-specific guidance.",
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0.1,
+      "crownJewelTier": "low-value",
+      "crownJewelFactors": [
+        "reads-secret-env"
+      ],
+      "cloneClusterId": "fae27b06c71c94a9",
+      "cloneClusterSize": 1,
+      "provenance": "human-likely",
+      "provenanceScore": 0.18,
+      "typeNarrowed": null,
+      "strideCategory": null,
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.65,
+          "tier": "high",
+          "factors": [
+            "sev:high"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.65,
+          "tier": "high",
+          "factors": [
+            "sev:high"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.65,
+          "tier": "high",
+          "factors": [
+            "sev:high"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.65,
+          "tier": "high",
+          "factors": [
+            "sev:high"
+          ]
+        },
+        "malicious-insider": {
+          "score": 0.65,
+          "tier": "high",
+          "factors": [
+            "sev:high"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "script-kiddie",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "script-kiddie",
+      "personaMaxScore": 0.65,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/prompt-template-user-input-interpolated-",
+        "ruleId": "CWE-1336",
+        "parser": "pattern",
+        "evidence": {
+          "sinkSnippet": "const PROMPT_TEMPLATE = `You are a senior application security engineer reviewing a candidate finding from a static analysis tool.",
+          "sourceSnippet": null,
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "low-value",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": null,
+      "bountyConfidence": null,
+      "attackPlaybook": null
+    },
+    {
+      "id": "struct:consistency.js:66:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
+      "owaspLlm": null,
+      "stride": "Denial of Service",
+      "file": "consistency.js",
+      "line": 66,
+      "snippet": "if (fs.existsSync(cacheDir)) {",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.212,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `consistency.js:66` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      },
+      "stableId": "cd1c964ce2e49d49",
+      "confidenceTier": "very-low",
+      "exploitability": 0.2,
+      "exploitabilityTier": "low",
+      "exploitabilityFactors": [
+        "sev:medium",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "dos-sync-io",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 0,
+      "calibration_reason": "no-history",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": null,
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0,
+      "crownJewelTier": "unknown",
+      "crownJewelFactors": [],
+      "cloneClusterId": "31e29761689a4980",
+      "cloneClusterSize": 1,
+      "provenance": "human-likely",
+      "provenanceScore": 0.22,
+      "typeNarrowed": null,
+      "strideCategory": "denialOfService",
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "malicious-insider": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "script-kiddie",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "script-kiddie",
+      "personaMaxScore": 0.4,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/dos-sync-io",
+        "ruleId": "CWE-400",
+        "parser": "STRUCTURAL",
+        "evidence": {
+          "sinkSnippet": "if (fs.existsSync(cacheDir)) {",
+          "sourceSnippet": "if (fs.existsSync(cacheDir)) {",
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "unknown",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": {
+        "low": 10,
+        "likely": 40,
+        "high": 120,
+        "program": "web2"
+      },
+      "bountyConfidence": "high",
+      "attackPlaybook": null
+    },
+    {
+      "id": "struct:consistency.js:67:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
+      "owaspLlm": null,
+      "stride": "Denial of Service",
+      "file": "consistency.js",
+      "line": 67,
+      "snippet": "for (const e of fs.readdirSync(cacheDir)) fs.unlinkSync(path.join(cacheDir, e));",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.212,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `consistency.js:67` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      },
+      "stableId": "60e3b2db8a750099",
+      "confidenceTier": "very-low",
+      "exploitability": 0.2,
+      "exploitabilityTier": "low",
+      "exploitabilityFactors": [
+        "sev:medium",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "dos-sync-io",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 0,
+      "calibration_reason": "no-history",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": null,
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0,
+      "crownJewelTier": "unknown",
+      "crownJewelFactors": [],
+      "cloneClusterId": "88afe4820dcb8a38",
+      "cloneClusterSize": 1,
+      "provenance": "human-likely",
+      "provenanceScore": 0.22,
+      "typeNarrowed": null,
+      "strideCategory": "denialOfService",
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "malicious-insider": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "script-kiddie",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "script-kiddie",
+      "personaMaxScore": 0.4,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/dos-sync-io",
+        "ruleId": "CWE-400",
+        "parser": "STRUCTURAL",
+        "evidence": {
+          "sinkSnippet": "for (const e of fs.readdirSync(cacheDir)) fs.unlinkSync(path.join(cacheDir, e));",
+          "sourceSnippet": "for (const e of fs.readdirSync(cacheDir)) fs.unlinkSync(path.join(cacheDir, e));",
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "unknown",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": {
+        "low": 10,
+        "likely": 40,
+        "high": 120,
+        "program": "web2"
+      },
+      "bountyConfidence": "high",
+      "attackPlaybook": null
+    },
+    {
+      "id": "struct:index.js:116:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
+      "owaspLlm": null,
+      "stride": "Denial of Service",
+      "file": "index.js",
+      "line": 116,
+      "snippet": "if (!fs.existsSync(fp)) return null;",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.212,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `index.js:116` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      },
+      "stableId": "91cf2e9bd1fe407b",
+      "confidenceTier": "very-low",
+      "exploitability": 0.2,
+      "exploitabilityTier": "low",
+      "exploitabilityFactors": [
+        "sev:medium",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "dos-sync-io",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 0,
+      "calibration_reason": "no-history",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": null,
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0.1,
+      "crownJewelTier": "low-value",
+      "crownJewelFactors": [
+        "reads-secret-env"
+      ],
+      "cloneClusterId": "66b8a8c25816e7f9",
+      "cloneClusterSize": 2,
+      "provenance": "human-likely",
+      "provenanceScore": 0.18,
+      "typeNarrowed": null,
+      "strideCategory": "denialOfService",
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "malicious-insider": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "script-kiddie",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "script-kiddie",
+      "personaMaxScore": 0.4,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/dos-sync-io",
+        "ruleId": "CWE-400",
+        "parser": "STRUCTURAL",
+        "evidence": {
+          "sinkSnippet": "if (!fs.existsSync(fp)) return null;",
+          "sourceSnippet": "if (!fs.existsSync(fp)) return null;",
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "low-value",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": {
+        "low": 10,
+        "likely": 40,
+        "high": 120,
+        "program": "web2"
+      },
+      "bountyConfidence": "high",
+      "attackPlaybook": null
+    },
+    {
+      "id": "struct:index.js:117:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
+      "owaspLlm": null,
+      "stride": "Denial of Service",
+      "file": "index.js",
+      "line": 117,
+      "snippet": "try { return JSON.parse(fs.readFileSync(fp, 'utf8')); } catch { return null; }",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.212,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `index.js:117` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      },
+      "stableId": "b3bc63cb273757a2",
+      "confidenceTier": "very-low",
+      "exploitability": 0.2,
+      "exploitabilityTier": "low",
+      "exploitabilityFactors": [
+        "sev:medium",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "dos-sync-io",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 0,
+      "calibration_reason": "no-history",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": null,
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0.1,
+      "crownJewelTier": "low-value",
+      "crownJewelFactors": [
+        "reads-secret-env"
+      ],
+      "cloneClusterId": "29d998f79544cba7",
+      "cloneClusterSize": 1,
+      "provenance": "human-likely",
+      "provenanceScore": 0.18,
+      "typeNarrowed": null,
+      "strideCategory": "denialOfService",
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "malicious-insider": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "script-kiddie",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "script-kiddie",
+      "personaMaxScore": 0.4,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/dos-sync-io",
+        "ruleId": "CWE-400",
+        "parser": "STRUCTURAL",
+        "evidence": {
+          "sinkSnippet": "try { return JSON.parse(fs.readFileSync(fp, 'utf8')); } catch { return null; }",
+          "sourceSnippet": "try { return JSON.parse(fs.readFileSync(fp, 'utf8')); } catch { return null; }",
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "low-value",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": {
+        "low": 10,
+        "likely": 40,
+        "high": 120,
+        "program": "web2"
+      },
+      "bountyConfidence": "high",
+      "attackPlaybook": null
+    },
+    {
+      "id": "struct:index.js:123:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
+      "owaspLlm": null,
+      "stride": "Denial of Service",
+      "file": "index.js",
+      "line": 123,
+      "snippet": "try { fs.writeFileSync(fp, JSON.stringify(value, null, 2)); } catch {}",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.212,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `index.js:123` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      },
+      "stableId": "f1bcad60f84cd7d8",
+      "confidenceTier": "very-low",
+      "exploitability": 0.2,
+      "exploitabilityTier": "low",
+      "exploitabilityFactors": [
+        "sev:medium",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "dos-sync-io",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 0,
+      "calibration_reason": "no-history",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": null,
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0.1,
+      "crownJewelTier": "low-value",
+      "crownJewelFactors": [
+        "reads-secret-env"
+      ],
+      "cloneClusterId": "55a282f0f3dd72ac",
+      "cloneClusterSize": 1,
+      "provenance": "human-likely",
+      "provenanceScore": 0.18,
+      "typeNarrowed": null,
+      "strideCategory": "denialOfService",
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "malicious-insider": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "script-kiddie",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "script-kiddie",
+      "personaMaxScore": 0.4,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/dos-sync-io",
+        "ruleId": "CWE-400",
+        "parser": "STRUCTURAL",
+        "evidence": {
+          "sinkSnippet": "try { fs.writeFileSync(fp, JSON.stringify(value, null, 2)); } catch {}",
+          "sourceSnippet": "try { fs.writeFileSync(fp, JSON.stringify(value, null, 2)); } catch {}",
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "low-value",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": {
+        "low": 10,
+        "likely": 40,
+        "high": 120,
+        "program": "web2"
+      },
+      "bountyConfidence": "high",
+      "attackPlaybook": null
+    },
+    {
+      "id": "toctou-fs:index.js:116",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "TOCTOU: file existence/permission check before open",
+      "cwe": "CWE-367",
+      "owaspLlm": null,
+      "stride": "Tampering",
+      "file": "index.js",
+      "line": 116,
+      "snippet": "if (!fs.existsSync(fp)) return null;",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.7,
+      "toxicity": 8,
+      "toxicityFactors": [],
+      "toxicityLabel": "Low",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
+        "confidence": "low",
+        "narrative": "TOCTOU: file existence/permission check before open on `index.js:116` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+      },
+      "stableId": "e3ea9a39f5387898",
+      "confidenceTier": "medium",
+      "exploitability": 0.2,
+      "exploitabilityTier": "low",
+      "exploitabilityFactors": [
+        "sev:medium",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "toctou-file-existence-permission-check-b",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 0,
+      "calibration_reason": "no-history",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": null,
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0.1,
+      "crownJewelTier": "low-value",
+      "crownJewelFactors": [
+        "reads-secret-env"
+      ],
+      "cloneClusterId": "66b8a8c25816e7f9",
+      "cloneClusterSize": 2,
+      "provenance": "human-likely",
+      "provenanceScore": 0.18,
+      "typeNarrowed": null,
+      "strideCategory": "tampering",
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "malicious-insider": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "script-kiddie",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "script-kiddie",
+      "personaMaxScore": 0.4,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/toctou-file-existence-permission-check-b",
+        "ruleId": "CWE-367",
+        "parser": "TOCTOU",
+        "evidence": {
+          "sinkSnippet": "if (!fs.existsSync(fp)) return null;",
+          "sourceSnippet": null,
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "low-value",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": null,
+      "bountyConfidence": null,
+      "attackPlaybook": null
+    },
+    {
+      "id": "b73122a9107687a2",
+      "kind": "logic",
+      "severity": "medium",
+      "vuln": "Missing Timeout on Outbound HTTP Request (DoS)",
+      "cwe": "CWE-400",
+      "stride": "Denial of Service",
+      "file": "index.js",
+      "line": 185,
+      "snippet": "const r = await fetch(endpoint, { method: 'POST', headers, body: JSON.stringify(body) });",
+      "fix": {
+        "description": "Set a timeout on all outbound requests to prevent event-loop starvation from stalled upstreams.",
+        "code": "// fetch (Node 18+)\nconst resp = await fetch(url, { signal: AbortSignal.timeout(5000) });\n\n// axios\nawait axios.get(url, { timeout: 5000 });\n\n// node http\nconst req = http.get(url, cb);\nreq.setTimeout(5000, () => req.destroy());"
+      },
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Missing Timeout on Outbound HTTP Request (DoS) on `index.js:185` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      }
+    },
+    {
+      "id": "logic:index.js:116:TOCTOU:_existsSync_followed_by_file_op",
+      "kind": "logic",
+      "severity": "medium",
+      "vuln": "TOCTOU: existsSync followed by file op",
+      "cwe": "CWE-367",
+      "stride": "Tampering",
+      "file": "index.js",
+      "line": 116,
+      "snippet": "if (!fs.existsSync(fp)) return null;",
+      "fix": {
+        "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
+        "code": ""
+      },
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
+        "confidence": "low",
+        "narrative": "TOCTOU: existsSync followed by file op on `index.js:116` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+      }
+    }
+  ],
+  "bundles": [],
+  "routes": [],
+  "components": [],
+  "suppressedCount": 2,
+  "blastRadiusSignals": {
+    "industry": "generic",
+    "industryConfidence": "low",
+    "jurisdictions": [],
+    "controls": [],
+    "estimatedUsers": 50,
+    "revenueIndicator": "pre-revenue",
+    "hasStripe": false,
+    "hasAuth": false,
+    "hasUserTable": false,
+    "hasPII": false,
+    "hasPHI": false,
+    "hasS3": false
+  },
+  "_v3": {
+    "counterfactual": {
+      "spofControls": [],
+      "controlsDetected": 28
+    },
+    "threatModel": {
+      "summary": {
+        "assetCount": 1,
+        "boundaryCount": 0,
+        "strideCounts": {
+          "spoofing": 0,
+          "tampering": 1,
+          "repudiation": 0,
+          "informationDisclosure": 0,
+          "denialOfService": 5,
+          "elevationOfPrivilege": 0
+        }
+      },
+      "assets": [
+        {
+          "name": "AGENTIC_SECURITY_LLM_API_KEY",
+          "file": "index.js",
+          "line": 95,
+          "category": "secret",
+          "exposure": "internal"
+        }
+      ],
+      "trustBoundaries": [],
+      "stride": {
+        "spoofing": [],
+        "tampering": [
+          {
+            "vuln": "TOCTOU: file existence/permission check before open",
+            "file": "index.js",
+            "line": 116,
+            "severity": "medium"
+          }
+        ],
+        "repudiation": [],
+        "informationDisclosure": [],
+        "denialOfService": [
+          {
+            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+            "file": "consistency.js",
+            "severity": "medium"
+          },
+          {
+            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+            "file": "consistency.js",
+            "severity": "medium"
+          },
+          {
+            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+            "file": "index.js",
+            "severity": "medium"
+          },
+          {
+            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+            "file": "index.js",
+            "severity": "medium"
+          },
+          {
+            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+            "file": "index.js",
+            "severity": "medium"
+          }
+        ],
+        "elevationOfPrivilege": []
+      }
+    },
+    "trustBoundaryDiagram": {
+      "mermaid": "flowchart LR\n  INTERNET((Internet))\n  APP[\"Application\"]\n  asset_secret_AGENTIC_SECURITY_LLM_API_KEY[/\"secret: AGENTIC_SECURITY_LLM_API_KEY\"/]\n  APP -->|asset| asset_secret_AGENTIC_SECURITY_LLM_API_KEY\n  classDef sev_critical fill:#ffcccc,stroke:#a00,stroke-width:2px;\n  classDef sev_high fill:#ffe0b2,stroke:#c60,stroke-width:2px;\n  classDef sev_medium fill:#fff3cd,stroke:#a80;\n  classDef sev_low fill:#e8eaf6,stroke:#557;",
+      "nodes": [
+        {
+          "id": "INTERNET",
+          "kind": "external",
+          "label": "Internet"
+        },
+        {
+          "id": "APP",
+          "kind": "app",
+          "label": "Application"
+        },
+        {
+          "id": "asset_secret_AGENTIC_SECURITY_LLM_API_KEY",
+          "kind": "asset",
+          "label": "secret: AGENTIC_SECURITY_LLM_API_KEY"
+        }
+      ],
+      "edges": [
+        {
+          "from": "APP",
+          "to": "asset_secret_AGENTIC_SECURITY_LLM_API_KEY",
+          "kind": "asset"
+        }
+      ],
+      "decorations": []
+    },
+    "calibrationDrift": {
+      "alarms": [],
+      "note": "no-feedback-data"
+    }
+  }
+}