@clear-capabilities/agentic-security-scanner 0.76.1 → 0.78.0

package/src/ir/.agentic-security/findings.json

@@ -1,9 +1,9 @@
 {
-  "scanId": "e3eb4e8f-6086-4f67-abc4-9f0666ae3092",
-  "startedAt": "2026-05-20T17:01:27.260Z",
-  "durationMs": 291,
+  "scanId": "1a8e7623-7074-46ec-9fe6-a8a0d25ee3c6",
+  "startedAt": "2026-05-27T02:22:41.834Z",
+  "durationMs": 363,
   "scanned": {
-    "files": 12,
+    "files": 15,
     "lines": 0
   },
   "findings": [
@@ -117,6 +117,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "mass-assignment",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -152,9 +153,493 @@
         "shell-execution"
       ],
       "cloneClusterId": "a0c829a31c63bf1a",
-      "cloneClusterSize": 2,
+      "cloneClusterSize": 5,
+      "provenance": "human-likely",
+      "provenanceScore": 0.08,
+      "typeNarrowed": null,
+      "strideCategory": null,
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.65,
+          "tier": "high",
+          "factors": [
+            "sev:high"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.85,
+          "tier": "critical",
+          "factors": [
+            "sev:high",
+            "bias:mass-assignment+0.20"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.65,
+          "tier": "high",
+          "factors": [
+            "sev:high"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.65,
+          "tier": "high",
+          "factors": [
+            "sev:high"
+          ]
+        },
+        "malicious-insider": {
+          "score": 1,
+          "tier": "critical",
+          "factors": [
+            "sev:high",
+            "bias:mass-assignment+0.25",
+            "authz-bypass-favored"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "malicious-insider",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "malicious-insider",
+      "personaMaxScore": 1,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/mass-assignment",
+        "ruleId": "CWE-915",
+        "parser": "STRUCTURAL",
+        "evidence": {
+          "sinkSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
+          "sourceSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "low-value",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": {
+        "low": 50,
+        "likely": 200,
+        "high": 600,
+        "program": "web2"
+      },
+      "bountyConfidence": "medium",
+      "attackPlaybook": {
+        "cwe": "CWE-915",
+        "kind": "curl",
+        "title": "Mass assignment — privilege escalation probe",
+        "instruction": "Submit an extra field (role) on profile update; verify it sticks.",
+        "script": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test.\n# CWE-915 — Mass assignment\ncurl -s -i -X PATCH \"${TARGET_URL}/api/me\" \\\n  -H \"Authorization: Bearer ${TEST_TOKEN}\" -H \"Content-Type: application/json\" \\\n  -d '{\"name\":\"x\",\"role\":\"admin\"}'\n# Confirmed when subsequent /api/me returns role=admin.",
+        "ethics": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test."
+      }
+    },
+    {
+      "id": "struct:parser-go.js:253:Mass_Assignment_(req.body_Direct_to_Model)",
+      "kind": "sast",
+      "severity": "high",
+      "vuln": "Mass Assignment (req.body Direct to Model)",
+      "cwe": "CWE-915",
+      "owaspLlm": null,
+      "stride": "Tampering",
+      "file": "parser-go.js",
+      "line": 253,
+      "snippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
+      "fix": null,
+      "reachable": false,
+      "triage": 39,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.314,
+      "toxicity": 35,
+      "toxicityFactors": [
+        "high-severity",
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "GitHub mass-assignment 2012 → public ridicule + emergency rebuild",
+        "confidence": "low",
+        "narrative": "Mass Assignment (req.body Direct to Model) on `parser-go.js:253` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: GitHub mass-assignment 2012 → public ridicule + emergency rebuild."
+      },
+      "stableId": "a28da8de4671367b",
+      "confidenceTier": "low",
+      "exploitability": 0.45,
+      "exploitabilityTier": "medium",
+      "exploitabilityFactors": [
+        "sev:high",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "mass-assignment",
+      "parser": "STRUCTURAL",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 5,
+      "calibration_reason": "insufficient-samples",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": "A finding of type \"Mass Assignment (req.body Direct to Model)\" at parser-go.js:?. Severity: high. Review the remediation field for class-specific guidance.",
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0.15,
+      "crownJewelTier": "low-value",
+      "crownJewelFactors": [
+        "shell-execution"
+      ],
+      "cloneClusterId": "a0c829a31c63bf1a",
+      "cloneClusterSize": 5,
+      "provenance": "human-likely",
+      "provenanceScore": 0,
+      "typeNarrowed": null,
+      "strideCategory": null,
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.65,
+          "tier": "high",
+          "factors": [
+            "sev:high"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.85,
+          "tier": "critical",
+          "factors": [
+            "sev:high",
+            "bias:mass-assignment+0.20"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.65,
+          "tier": "high",
+          "factors": [
+            "sev:high"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.65,
+          "tier": "high",
+          "factors": [
+            "sev:high"
+          ]
+        },
+        "malicious-insider": {
+          "score": 1,
+          "tier": "critical",
+          "factors": [
+            "sev:high",
+            "bias:mass-assignment+0.25",
+            "authz-bypass-favored"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "malicious-insider",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "malicious-insider",
+      "personaMaxScore": 1,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/mass-assignment",
+        "ruleId": "CWE-915",
+        "parser": "STRUCTURAL",
+        "evidence": {
+          "sinkSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
+          "sourceSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "low-value",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": {
+        "low": 50,
+        "likely": 200,
+        "high": 600,
+        "program": "web2"
+      },
+      "bountyConfidence": "medium",
+      "attackPlaybook": {
+        "cwe": "CWE-915",
+        "kind": "curl",
+        "title": "Mass assignment — privilege escalation probe",
+        "instruction": "Submit an extra field (role) on profile update; verify it sticks.",
+        "script": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test.\n# CWE-915 — Mass assignment\ncurl -s -i -X PATCH \"${TARGET_URL}/api/me\" \\\n  -H \"Authorization: Bearer ${TEST_TOKEN}\" -H \"Content-Type: application/json\" \\\n  -d '{\"name\":\"x\",\"role\":\"admin\"}'\n# Confirmed when subsequent /api/me returns role=admin.",
+        "ethics": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test."
+      }
+    },
+    {
+      "id": "struct:parser-kt.js:207:Mass_Assignment_(req.body_Direct_to_Model)",
+      "kind": "sast",
+      "severity": "high",
+      "vuln": "Mass Assignment (req.body Direct to Model)",
+      "cwe": "CWE-915",
+      "owaspLlm": null,
+      "stride": "Tampering",
+      "file": "parser-kt.js",
+      "line": 207,
+      "snippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
+      "fix": null,
+      "reachable": false,
+      "triage": 39,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.314,
+      "toxicity": 35,
+      "toxicityFactors": [
+        "high-severity",
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "GitHub mass-assignment 2012 → public ridicule + emergency rebuild",
+        "confidence": "low",
+        "narrative": "Mass Assignment (req.body Direct to Model) on `parser-kt.js:207` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: GitHub mass-assignment 2012 → public ridicule + emergency rebuild."
+      },
+      "stableId": "2fc3bac9558c1472",
+      "confidenceTier": "low",
+      "exploitability": 0.45,
+      "exploitabilityTier": "medium",
+      "exploitabilityFactors": [
+        "sev:high",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "mass-assignment",
+      "parser": "STRUCTURAL",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 5,
+      "calibration_reason": "insufficient-samples",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": "A finding of type \"Mass Assignment (req.body Direct to Model)\" at parser-kt.js:?. Severity: high. Review the remediation field for class-specific guidance.",
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0.15,
+      "crownJewelTier": "low-value",
+      "crownJewelFactors": [
+        "shell-execution"
+      ],
+      "cloneClusterId": "a0c829a31c63bf1a",
+      "cloneClusterSize": 5,
       "provenance": "human-likely",
-      "provenanceScore": 0.08,
+      "provenanceScore": 0,
       "typeNarrowed": null,
       "strideCategory": null,
       "personaScores": {
@@ -249,15 +734,15 @@
       }
     },
     {
-      "id": "struct:parser-kt.js:207:Mass_Assignment_(req.body_Direct_to_Model)",
+      "id": "struct:parser-php.js:209:Mass_Assignment_(req.body_Direct_to_Model)",
       "kind": "sast",
       "severity": "high",
       "vuln": "Mass Assignment (req.body Direct to Model)",
       "cwe": "CWE-915",
       "owaspLlm": null,
       "stride": "Tampering",
-      "file": "parser-kt.js",
-      "line": 207,
+      "file": "parser-php.js",
+      "line": 209,
       "snippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
       "fix": null,
       "reachable": false,
@@ -341,9 +826,9 @@
         "dominantDriver": "legal counsel",
         "comparable": "GitHub mass-assignment 2012 → public ridicule + emergency rebuild",
         "confidence": "low",
-        "narrative": "Mass Assignment (req.body Direct to Model) on `parser-kt.js:207` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: GitHub mass-assignment 2012 → public ridicule + emergency rebuild."
+        "narrative": "Mass Assignment (req.body Direct to Model) on `parser-php.js:209` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: GitHub mass-assignment 2012 → public ridicule + emergency rebuild."
       },
-      "stableId": "2fc3bac9558c1472",
+      "stableId": "b73364b3c23bcce8",
       "confidenceTier": "low",
       "exploitability": 0.45,
       "exploitabilityTier": "medium",
@@ -358,6 +843,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "mass-assignment",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -370,7 +856,7 @@
       "verifier_verdict": "cannot-verify",
       "verifier_reason": "no-poc-no-sanitizer-rule",
       "verifier_runner": null,
-      "narration": "A finding of type \"Mass Assignment (req.body Direct to Model)\" at parser-kt.js:?. Severity: high. Review the remediation field for class-specific guidance.",
+      "narration": "A finding of type \"Mass Assignment (req.body Direct to Model)\" at parser-php.js:?. Severity: high. Review the remediation field for class-specific guidance.",
       "mitigationVerdict": "unreachable-in-prod",
       "mitigationsApplied": [],
       "mitigatedByWaf": false,
@@ -393,7 +879,249 @@
         "shell-execution"
       ],
       "cloneClusterId": "a0c829a31c63bf1a",
-      "cloneClusterSize": 2,
+      "cloneClusterSize": 5,
+      "provenance": "human-likely",
+      "provenanceScore": 0,
+      "typeNarrowed": null,
+      "strideCategory": null,
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.65,
+          "tier": "high",
+          "factors": [
+            "sev:high"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.85,
+          "tier": "critical",
+          "factors": [
+            "sev:high",
+            "bias:mass-assignment+0.20"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.65,
+          "tier": "high",
+          "factors": [
+            "sev:high"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.65,
+          "tier": "high",
+          "factors": [
+            "sev:high"
+          ]
+        },
+        "malicious-insider": {
+          "score": 1,
+          "tier": "critical",
+          "factors": [
+            "sev:high",
+            "bias:mass-assignment+0.25",
+            "authz-bypass-favored"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "malicious-insider",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "malicious-insider",
+      "personaMaxScore": 1,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/mass-assignment",
+        "ruleId": "CWE-915",
+        "parser": "STRUCTURAL",
+        "evidence": {
+          "sinkSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
+          "sourceSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "low-value",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": {
+        "low": 50,
+        "likely": 200,
+        "high": 600,
+        "program": "web2"
+      },
+      "bountyConfidence": "medium",
+      "attackPlaybook": {
+        "cwe": "CWE-915",
+        "kind": "curl",
+        "title": "Mass assignment — privilege escalation probe",
+        "instruction": "Submit an extra field (role) on profile update; verify it sticks.",
+        "script": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test.\n# CWE-915 — Mass assignment\ncurl -s -i -X PATCH \"${TARGET_URL}/api/me\" \\\n  -H \"Authorization: Bearer ${TEST_TOKEN}\" -H \"Content-Type: application/json\" \\\n  -d '{\"name\":\"x\",\"role\":\"admin\"}'\n# Confirmed when subsequent /api/me returns role=admin.",
+        "ethics": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test."
+      }
+    },
+    {
+      "id": "struct:parser-rb.js:201:Mass_Assignment_(req.body_Direct_to_Model)",
+      "kind": "sast",
+      "severity": "high",
+      "vuln": "Mass Assignment (req.body Direct to Model)",
+      "cwe": "CWE-915",
+      "owaspLlm": null,
+      "stride": "Tampering",
+      "file": "parser-rb.js",
+      "line": 201,
+      "snippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
+      "fix": null,
+      "reachable": false,
+      "triage": 39,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.314,
+      "toxicity": 35,
+      "toxicityFactors": [
+        "high-severity",
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "GitHub mass-assignment 2012 → public ridicule + emergency rebuild",
+        "confidence": "low",
+        "narrative": "Mass Assignment (req.body Direct to Model) on `parser-rb.js:201` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: GitHub mass-assignment 2012 → public ridicule + emergency rebuild."
+      },
+      "stableId": "1889976dc0f1120c",
+      "confidenceTier": "low",
+      "exploitability": 0.45,
+      "exploitabilityTier": "medium",
+      "exploitabilityFactors": [
+        "sev:high",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "mass-assignment",
+      "parser": "STRUCTURAL",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 5,
+      "calibration_reason": "insufficient-samples",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": "A finding of type \"Mass Assignment (req.body Direct to Model)\" at parser-rb.js:?. Severity: high. Review the remediation field for class-specific guidance.",
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0.15,
+      "crownJewelTier": "low-value",
+      "crownJewelFactors": [
+        "shell-execution"
+      ],
+      "cloneClusterId": "a0c829a31c63bf1a",
+      "cloneClusterSize": 5,
       "provenance": "human-likely",
       "provenanceScore": 0,
       "typeNarrowed": null,
@@ -598,6 +1326,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -828,6 +1557,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -1058,6 +1788,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -1288,6 +2019,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -1518,6 +2250,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -1748,6 +2481,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -1978,6 +2712,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -2208,6 +2943,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -2439,6 +3175,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -2672,6 +3409,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -2867,7 +3605,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "TOCTOU: existsSync followed by file op on `type-stubs.js:57` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     }
   ],
   "bundles": [],
@@ -2891,7 +3631,7 @@
   "_v3": {
     "counterfactual": {
       "spofControls": [],
-      "controlsDetected": 240
+      "controlsDetected": 307
     },
     "threatModel": {
       "summary": {
@@ -3032,5 +3772,6 @@
       "alarms": [],
       "note": "no-feedback-data"
     }
-  }
+  },
+  "annotatorErrors": []
 }