@clear-capabilities/agentic-security-scanner 0.78.0 → 0.79.0

package/src/ir/.agentic-security/findings.json

@@ -1,3777 +0,0 @@
-{
-  "scanId": "1a8e7623-7074-46ec-9fe6-a8a0d25ee3c6",
-  "startedAt": "2026-05-27T02:22:41.834Z",
-  "durationMs": 363,
-  "scanned": {
-    "files": 15,
-    "lines": 0
-  },
-  "findings": [
-    {
-      "id": "struct:parser-cs.js:208:Mass_Assignment_(req.body_Direct_to_Model)",
-      "kind": "sast",
-      "severity": "high",
-      "vuln": "Mass Assignment (req.body Direct to Model)",
-      "cwe": "CWE-915",
-      "owaspLlm": null,
-      "stride": "Tampering",
-      "file": "parser-cs.js",
-      "line": 208,
-      "snippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
-      "fix": null,
-      "reachable": false,
-      "triage": 39,
-      "dataClasses": [],
-      "chain": null,
-      "confidence": 0.314,
-      "toxicity": 35,
-      "toxicityFactors": [
-        "high-severity",
-        "http-facing"
-      ],
-      "toxicityLabel": "Medium",
-      "sources": null,
-      "epssScore": null,
-      "epssPercentile": null,
-      "epssCve": null,
-      "exploitedNow": false,
-      "tags": null,
-      "blastRadius": {
-        "scope": "all-users",
-        "dataAtRisk": [
-          "config"
-        ],
-        "userCount": 50,
-        "industry": "generic",
-        "jurisdictions": [],
-        "controlsApplied": [],
-        "dollarBest": 23250,
-        "dollarLikely": 136250,
-        "dollarWorst": 775000,
-        "dollarLow": 23250,
-        "dollarHigh": 775000,
-        "components": {
-          "incidentResponse": {
-            "low": 8000,
-            "likely": 50000,
-            "high": 250000
-          },
-          "legal": {
-            "low": 10000,
-            "likely": 75000,
-            "high": 500000
-          },
-          "crisisPR": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "notification": {
-            "low": 5000,
-            "likely": 10000,
-            "high": 15000
-          },
-          "creditMonitoring": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "regulatoryFines": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "directDamage": {
-            "low": 250,
-            "likely": 1250,
-            "high": 10000
-          },
-          "classAction": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "lostBusiness": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          }
-        },
-        "dominantDriver": "legal counsel",
-        "comparable": "GitHub mass-assignment 2012 → public ridicule + emergency rebuild",
-        "confidence": "low",
-        "narrative": "Mass Assignment (req.body Direct to Model) on `parser-cs.js:208` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: GitHub mass-assignment 2012 → public ridicule + emergency rebuild."
-      },
-      "stableId": "1881a55e55ca05ef",
-      "confidenceTier": "low",
-      "exploitability": 0.45,
-      "exploitabilityTier": "medium",
-      "exploitabilityFactors": [
-        "sev:high",
-        "unreachable"
-      ],
-      "clusterSize": null,
-      "unreachable": false,
-      "validator_verdict": "unvalidated",
-      "llm_confidence": null,
-      "unvalidated": true,
-      "cross_language": false,
-      "family": "mass-assignment",
-      "parser": "STRUCTURAL",
-      "_unsigned": false,
-      "_passThroughSigning": false,
-      "signatureStatus": "verified",
-      "regression_test": null,
-      "poc": null,
-      "calibrated_confidence": null,
-      "calibrated_confidence_ci": null,
-      "calibrated_n": 5,
-      "calibration_reason": "insufficient-samples",
-      "verifier_verdict": "cannot-verify",
-      "verifier_reason": "no-poc-no-sanitizer-rule",
-      "verifier_runner": null,
-      "narration": "A finding of type \"Mass Assignment (req.body Direct to Model)\" at parser-cs.js:?. Severity: high. Review the remediation field for class-specific guidance.",
-      "mitigationVerdict": "unreachable-in-prod",
-      "mitigationsApplied": [],
-      "mitigatedByWaf": false,
-      "wafRuleId": null,
-      "mitigatedByAuth": false,
-      "authMechanism": null,
-      "mitigatedByNetwork": false,
-      "networkExposure": null,
-      "featureFlag": null,
-      "featureFlagState": null,
-      "featureFlagRollout": null,
-      "exposedInProd": false,
-      "unreachableInProd": true,
-      "coldPath": false,
-      "hotPath": false,
-      "prodRequestCount": null,
-      "crownJewelScore": 0.15,
-      "crownJewelTier": "low-value",
-      "crownJewelFactors": [
-        "shell-execution"
-      ],
-      "cloneClusterId": "a0c829a31c63bf1a",
-      "cloneClusterSize": 5,
-      "provenance": "human-likely",
-      "provenanceScore": 0.08,
-      "typeNarrowed": null,
-      "strideCategory": null,
-      "personaScores": {
-        "script-kiddie": {
-          "score": 0.65,
-          "tier": "high",
-          "factors": [
-            "sev:high"
-          ]
-        },
-        "opportunistic-criminal": {
-          "score": 0.85,
-          "tier": "critical",
-          "factors": [
-            "sev:high",
-            "bias:mass-assignment+0.20"
-          ]
-        },
-        "apt-nation-state": {
-          "score": 0.65,
-          "tier": "high",
-          "factors": [
-            "sev:high"
-          ]
-        },
-        "supply-chain-attacker": {
-          "score": 0.65,
-          "tier": "high",
-          "factors": [
-            "sev:high"
-          ]
-        },
-        "malicious-insider": {
-          "score": 1,
-          "tier": "critical",
-          "factors": [
-            "sev:high",
-            "bias:mass-assignment+0.25",
-            "authz-bypass-favored"
-          ]
-        }
-      },
-      "personaTopTwo": [
-        "malicious-insider",
-        "opportunistic-criminal"
-      ],
-      "personaMaxName": "malicious-insider",
-      "personaMaxScore": 1,
-      "reverseExposure": null,
-      "specMined": null,
-      "whyFired": {
-        "detector": "sast/mass-assignment",
-        "ruleId": "CWE-915",
-        "parser": "STRUCTURAL",
-        "evidence": {
-          "sinkSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
-          "sourceSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
-          "pathSteps": [],
-          "sanitizers": [],
-          "guards": []
-        },
-        "considered": {
-          "suppressionsApplied": [],
-          "suppressionsSkipped": [],
-          "reachabilityFilter": "unaffected",
-          "clusterCollapsed": false,
-          "typeNarrowed": false,
-          "crownJewelTier": "low-value",
-          "mitigationVerdict": "unreachable-in-prod"
-        },
-        "scanner": {
-          "rulesetVersion": null,
-          "packHash": null,
-          "modelId": null
-        }
-      },
-      "adversaryTranscript": null,
-      "predictedBountyUsd": {
-        "low": 50,
-        "likely": 200,
-        "high": 600,
-        "program": "web2"
-      },
-      "bountyConfidence": "medium",
-      "attackPlaybook": {
-        "cwe": "CWE-915",
-        "kind": "curl",
-        "title": "Mass assignment — privilege escalation probe",
-        "instruction": "Submit an extra field (role) on profile update; verify it sticks.",
-        "script": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test.\n# CWE-915 — Mass assignment\ncurl -s -i -X PATCH \"${TARGET_URL}/api/me\" \\\n  -H \"Authorization: Bearer ${TEST_TOKEN}\" -H \"Content-Type: application/json\" \\\n  -d '{\"name\":\"x\",\"role\":\"admin\"}'\n# Confirmed when subsequent /api/me returns role=admin.",
-        "ethics": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test."
-      }
-    },
-    {
-      "id": "struct:parser-go.js:253:Mass_Assignment_(req.body_Direct_to_Model)",
-      "kind": "sast",
-      "severity": "high",
-      "vuln": "Mass Assignment (req.body Direct to Model)",
-      "cwe": "CWE-915",
-      "owaspLlm": null,
-      "stride": "Tampering",
-      "file": "parser-go.js",
-      "line": 253,
-      "snippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
-      "fix": null,
-      "reachable": false,
-      "triage": 39,
-      "dataClasses": [],
-      "chain": null,
-      "confidence": 0.314,
-      "toxicity": 35,
-      "toxicityFactors": [
-        "high-severity",
-        "http-facing"
-      ],
-      "toxicityLabel": "Medium",
-      "sources": null,
-      "epssScore": null,
-      "epssPercentile": null,
-      "epssCve": null,
-      "exploitedNow": false,
-      "tags": null,
-      "blastRadius": {
-        "scope": "all-users",
-        "dataAtRisk": [
-          "config"
-        ],
-        "userCount": 50,
-        "industry": "generic",
-        "jurisdictions": [],
-        "controlsApplied": [],
-        "dollarBest": 23250,
-        "dollarLikely": 136250,
-        "dollarWorst": 775000,
-        "dollarLow": 23250,
-        "dollarHigh": 775000,
-        "components": {
-          "incidentResponse": {
-            "low": 8000,
-            "likely": 50000,
-            "high": 250000
-          },
-          "legal": {
-            "low": 10000,
-            "likely": 75000,
-            "high": 500000
-          },
-          "crisisPR": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "notification": {
-            "low": 5000,
-            "likely": 10000,
-            "high": 15000
-          },
-          "creditMonitoring": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "regulatoryFines": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "directDamage": {
-            "low": 250,
-            "likely": 1250,
-            "high": 10000
-          },
-          "classAction": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "lostBusiness": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          }
-        },
-        "dominantDriver": "legal counsel",
-        "comparable": "GitHub mass-assignment 2012 → public ridicule + emergency rebuild",
-        "confidence": "low",
-        "narrative": "Mass Assignment (req.body Direct to Model) on `parser-go.js:253` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: GitHub mass-assignment 2012 → public ridicule + emergency rebuild."
-      },
-      "stableId": "a28da8de4671367b",
-      "confidenceTier": "low",
-      "exploitability": 0.45,
-      "exploitabilityTier": "medium",
-      "exploitabilityFactors": [
-        "sev:high",
-        "unreachable"
-      ],
-      "clusterSize": null,
-      "unreachable": false,
-      "validator_verdict": "unvalidated",
-      "llm_confidence": null,
-      "unvalidated": true,
-      "cross_language": false,
-      "family": "mass-assignment",
-      "parser": "STRUCTURAL",
-      "_unsigned": false,
-      "_passThroughSigning": false,
-      "signatureStatus": "verified",
-      "regression_test": null,
-      "poc": null,
-      "calibrated_confidence": null,
-      "calibrated_confidence_ci": null,
-      "calibrated_n": 5,
-      "calibration_reason": "insufficient-samples",
-      "verifier_verdict": "cannot-verify",
-      "verifier_reason": "no-poc-no-sanitizer-rule",
-      "verifier_runner": null,
-      "narration": "A finding of type \"Mass Assignment (req.body Direct to Model)\" at parser-go.js:?. Severity: high. Review the remediation field for class-specific guidance.",
-      "mitigationVerdict": "unreachable-in-prod",
-      "mitigationsApplied": [],
-      "mitigatedByWaf": false,
-      "wafRuleId": null,
-      "mitigatedByAuth": false,
-      "authMechanism": null,
-      "mitigatedByNetwork": false,
-      "networkExposure": null,
-      "featureFlag": null,
-      "featureFlagState": null,
-      "featureFlagRollout": null,
-      "exposedInProd": false,
-      "unreachableInProd": true,
-      "coldPath": false,
-      "hotPath": false,
-      "prodRequestCount": null,
-      "crownJewelScore": 0.15,
-      "crownJewelTier": "low-value",
-      "crownJewelFactors": [
-        "shell-execution"
-      ],
-      "cloneClusterId": "a0c829a31c63bf1a",
-      "cloneClusterSize": 5,
-      "provenance": "human-likely",
-      "provenanceScore": 0,
-      "typeNarrowed": null,
-      "strideCategory": null,
-      "personaScores": {
-        "script-kiddie": {
-          "score": 0.65,
-          "tier": "high",
-          "factors": [
-            "sev:high"
-          ]
-        },
-        "opportunistic-criminal": {
-          "score": 0.85,
-          "tier": "critical",
-          "factors": [
-            "sev:high",
-            "bias:mass-assignment+0.20"
-          ]
-        },
-        "apt-nation-state": {
-          "score": 0.65,
-          "tier": "high",
-          "factors": [
-            "sev:high"
-          ]
-        },
-        "supply-chain-attacker": {
-          "score": 0.65,
-          "tier": "high",
-          "factors": [
-            "sev:high"
-          ]
-        },
-        "malicious-insider": {
-          "score": 1,
-          "tier": "critical",
-          "factors": [
-            "sev:high",
-            "bias:mass-assignment+0.25",
-            "authz-bypass-favored"
-          ]
-        }
-      },
-      "personaTopTwo": [
-        "malicious-insider",
-        "opportunistic-criminal"
-      ],
-      "personaMaxName": "malicious-insider",
-      "personaMaxScore": 1,
-      "reverseExposure": null,
-      "specMined": null,
-      "whyFired": {
-        "detector": "sast/mass-assignment",
-        "ruleId": "CWE-915",
-        "parser": "STRUCTURAL",
-        "evidence": {
-          "sinkSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
-          "sourceSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
-          "pathSteps": [],
-          "sanitizers": [],
-          "guards": []
-        },
-        "considered": {
-          "suppressionsApplied": [],
-          "suppressionsSkipped": [],
-          "reachabilityFilter": "unaffected",
-          "clusterCollapsed": false,
-          "typeNarrowed": false,
-          "crownJewelTier": "low-value",
-          "mitigationVerdict": "unreachable-in-prod"
-        },
-        "scanner": {
-          "rulesetVersion": null,
-          "packHash": null,
-          "modelId": null
-        }
-      },
-      "adversaryTranscript": null,
-      "predictedBountyUsd": {
-        "low": 50,
-        "likely": 200,
-        "high": 600,
-        "program": "web2"
-      },
-      "bountyConfidence": "medium",
-      "attackPlaybook": {
-        "cwe": "CWE-915",
-        "kind": "curl",
-        "title": "Mass assignment — privilege escalation probe",
-        "instruction": "Submit an extra field (role) on profile update; verify it sticks.",
-        "script": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test.\n# CWE-915 — Mass assignment\ncurl -s -i -X PATCH \"${TARGET_URL}/api/me\" \\\n  -H \"Authorization: Bearer ${TEST_TOKEN}\" -H \"Content-Type: application/json\" \\\n  -d '{\"name\":\"x\",\"role\":\"admin\"}'\n# Confirmed when subsequent /api/me returns role=admin.",
-        "ethics": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test."
-      }
-    },
-    {
-      "id": "struct:parser-kt.js:207:Mass_Assignment_(req.body_Direct_to_Model)",
-      "kind": "sast",
-      "severity": "high",
-      "vuln": "Mass Assignment (req.body Direct to Model)",
-      "cwe": "CWE-915",
-      "owaspLlm": null,
-      "stride": "Tampering",
-      "file": "parser-kt.js",
-      "line": 207,
-      "snippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
-      "fix": null,
-      "reachable": false,
-      "triage": 39,
-      "dataClasses": [],
-      "chain": null,
-      "confidence": 0.314,
-      "toxicity": 35,
-      "toxicityFactors": [
-        "high-severity",
-        "http-facing"
-      ],
-      "toxicityLabel": "Medium",
-      "sources": null,
-      "epssScore": null,
-      "epssPercentile": null,
-      "epssCve": null,
-      "exploitedNow": false,
-      "tags": null,
-      "blastRadius": {
-        "scope": "all-users",
-        "dataAtRisk": [
-          "config"
-        ],
-        "userCount": 50,
-        "industry": "generic",
-        "jurisdictions": [],
-        "controlsApplied": [],
-        "dollarBest": 23250,
-        "dollarLikely": 136250,
-        "dollarWorst": 775000,
-        "dollarLow": 23250,
-        "dollarHigh": 775000,
-        "components": {
-          "incidentResponse": {
-            "low": 8000,
-            "likely": 50000,
-            "high": 250000
-          },
-          "legal": {
-            "low": 10000,
-            "likely": 75000,
-            "high": 500000
-          },
-          "crisisPR": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "notification": {
-            "low": 5000,
-            "likely": 10000,
-            "high": 15000
-          },
-          "creditMonitoring": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "regulatoryFines": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "directDamage": {
-            "low": 250,
-            "likely": 1250,
-            "high": 10000
-          },
-          "classAction": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "lostBusiness": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          }
-        },
-        "dominantDriver": "legal counsel",
-        "comparable": "GitHub mass-assignment 2012 → public ridicule + emergency rebuild",
-        "confidence": "low",
-        "narrative": "Mass Assignment (req.body Direct to Model) on `parser-kt.js:207` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: GitHub mass-assignment 2012 → public ridicule + emergency rebuild."
-      },
-      "stableId": "2fc3bac9558c1472",
-      "confidenceTier": "low",
-      "exploitability": 0.45,
-      "exploitabilityTier": "medium",
-      "exploitabilityFactors": [
-        "sev:high",
-        "unreachable"
-      ],
-      "clusterSize": null,
-      "unreachable": false,
-      "validator_verdict": "unvalidated",
-      "llm_confidence": null,
-      "unvalidated": true,
-      "cross_language": false,
-      "family": "mass-assignment",
-      "parser": "STRUCTURAL",
-      "_unsigned": false,
-      "_passThroughSigning": false,
-      "signatureStatus": "verified",
-      "regression_test": null,
-      "poc": null,
-      "calibrated_confidence": null,
-      "calibrated_confidence_ci": null,
-      "calibrated_n": 5,
-      "calibration_reason": "insufficient-samples",
-      "verifier_verdict": "cannot-verify",
-      "verifier_reason": "no-poc-no-sanitizer-rule",
-      "verifier_runner": null,
-      "narration": "A finding of type \"Mass Assignment (req.body Direct to Model)\" at parser-kt.js:?. Severity: high. Review the remediation field for class-specific guidance.",
-      "mitigationVerdict": "unreachable-in-prod",
-      "mitigationsApplied": [],
-      "mitigatedByWaf": false,
-      "wafRuleId": null,
-      "mitigatedByAuth": false,
-      "authMechanism": null,
-      "mitigatedByNetwork": false,
-      "networkExposure": null,
-      "featureFlag": null,
-      "featureFlagState": null,
-      "featureFlagRollout": null,
-      "exposedInProd": false,
-      "unreachableInProd": true,
-      "coldPath": false,
-      "hotPath": false,
-      "prodRequestCount": null,
-      "crownJewelScore": 0.15,
-      "crownJewelTier": "low-value",
-      "crownJewelFactors": [
-        "shell-execution"
-      ],
-      "cloneClusterId": "a0c829a31c63bf1a",
-      "cloneClusterSize": 5,
-      "provenance": "human-likely",
-      "provenanceScore": 0,
-      "typeNarrowed": null,
-      "strideCategory": null,
-      "personaScores": {
-        "script-kiddie": {
-          "score": 0.65,
-          "tier": "high",
-          "factors": [
-            "sev:high"
-          ]
-        },
-        "opportunistic-criminal": {
-          "score": 0.85,
-          "tier": "critical",
-          "factors": [
-            "sev:high",
-            "bias:mass-assignment+0.20"
-          ]
-        },
-        "apt-nation-state": {
-          "score": 0.65,
-          "tier": "high",
-          "factors": [
-            "sev:high"
-          ]
-        },
-        "supply-chain-attacker": {
-          "score": 0.65,
-          "tier": "high",
-          "factors": [
-            "sev:high"
-          ]
-        },
-        "malicious-insider": {
-          "score": 1,
-          "tier": "critical",
-          "factors": [
-            "sev:high",
-            "bias:mass-assignment+0.25",
-            "authz-bypass-favored"
-          ]
-        }
-      },
-      "personaTopTwo": [
-        "malicious-insider",
-        "opportunistic-criminal"
-      ],
-      "personaMaxName": "malicious-insider",
-      "personaMaxScore": 1,
-      "reverseExposure": null,
-      "specMined": null,
-      "whyFired": {
-        "detector": "sast/mass-assignment",
-        "ruleId": "CWE-915",
-        "parser": "STRUCTURAL",
-        "evidence": {
-          "sinkSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
-          "sourceSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
-          "pathSteps": [],
-          "sanitizers": [],
-          "guards": []
-        },
-        "considered": {
-          "suppressionsApplied": [],
-          "suppressionsSkipped": [],
-          "reachabilityFilter": "unaffected",
-          "clusterCollapsed": false,
-          "typeNarrowed": false,
-          "crownJewelTier": "low-value",
-          "mitigationVerdict": "unreachable-in-prod"
-        },
-        "scanner": {
-          "rulesetVersion": null,
-          "packHash": null,
-          "modelId": null
-        }
-      },
-      "adversaryTranscript": null,
-      "predictedBountyUsd": {
-        "low": 50,
-        "likely": 200,
-        "high": 600,
-        "program": "web2"
-      },
-      "bountyConfidence": "medium",
-      "attackPlaybook": {
-        "cwe": "CWE-915",
-        "kind": "curl",
-        "title": "Mass assignment — privilege escalation probe",
-        "instruction": "Submit an extra field (role) on profile update; verify it sticks.",
-        "script": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test.\n# CWE-915 — Mass assignment\ncurl -s -i -X PATCH \"${TARGET_URL}/api/me\" \\\n  -H \"Authorization: Bearer ${TEST_TOKEN}\" -H \"Content-Type: application/json\" \\\n  -d '{\"name\":\"x\",\"role\":\"admin\"}'\n# Confirmed when subsequent /api/me returns role=admin.",
-        "ethics": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test."
-      }
-    },
-    {
-      "id": "struct:parser-php.js:209:Mass_Assignment_(req.body_Direct_to_Model)",
-      "kind": "sast",
-      "severity": "high",
-      "vuln": "Mass Assignment (req.body Direct to Model)",
-      "cwe": "CWE-915",
-      "owaspLlm": null,
-      "stride": "Tampering",
-      "file": "parser-php.js",
-      "line": 209,
-      "snippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
-      "fix": null,
-      "reachable": false,
-      "triage": 39,
-      "dataClasses": [],
-      "chain": null,
-      "confidence": 0.314,
-      "toxicity": 35,
-      "toxicityFactors": [
-        "high-severity",
-        "http-facing"
-      ],
-      "toxicityLabel": "Medium",
-      "sources": null,
-      "epssScore": null,
-      "epssPercentile": null,
-      "epssCve": null,
-      "exploitedNow": false,
-      "tags": null,
-      "blastRadius": {
-        "scope": "all-users",
-        "dataAtRisk": [
-          "config"
-        ],
-        "userCount": 50,
-        "industry": "generic",
-        "jurisdictions": [],
-        "controlsApplied": [],
-        "dollarBest": 23250,
-        "dollarLikely": 136250,
-        "dollarWorst": 775000,
-        "dollarLow": 23250,
-        "dollarHigh": 775000,
-        "components": {
-          "incidentResponse": {
-            "low": 8000,
-            "likely": 50000,
-            "high": 250000
-          },
-          "legal": {
-            "low": 10000,
-            "likely": 75000,
-            "high": 500000
-          },
-          "crisisPR": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "notification": {
-            "low": 5000,
-            "likely": 10000,
-            "high": 15000
-          },
-          "creditMonitoring": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "regulatoryFines": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "directDamage": {
-            "low": 250,
-            "likely": 1250,
-            "high": 10000
-          },
-          "classAction": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "lostBusiness": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          }
-        },
-        "dominantDriver": "legal counsel",
-        "comparable": "GitHub mass-assignment 2012 → public ridicule + emergency rebuild",
-        "confidence": "low",
-        "narrative": "Mass Assignment (req.body Direct to Model) on `parser-php.js:209` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: GitHub mass-assignment 2012 → public ridicule + emergency rebuild."
-      },
-      "stableId": "b73364b3c23bcce8",
-      "confidenceTier": "low",
-      "exploitability": 0.45,
-      "exploitabilityTier": "medium",
-      "exploitabilityFactors": [
-        "sev:high",
-        "unreachable"
-      ],
-      "clusterSize": null,
-      "unreachable": false,
-      "validator_verdict": "unvalidated",
-      "llm_confidence": null,
-      "unvalidated": true,
-      "cross_language": false,
-      "family": "mass-assignment",
-      "parser": "STRUCTURAL",
-      "_unsigned": false,
-      "_passThroughSigning": false,
-      "signatureStatus": "verified",
-      "regression_test": null,
-      "poc": null,
-      "calibrated_confidence": null,
-      "calibrated_confidence_ci": null,
-      "calibrated_n": 5,
-      "calibration_reason": "insufficient-samples",
-      "verifier_verdict": "cannot-verify",
-      "verifier_reason": "no-poc-no-sanitizer-rule",
-      "verifier_runner": null,
-      "narration": "A finding of type \"Mass Assignment (req.body Direct to Model)\" at parser-php.js:?. Severity: high. Review the remediation field for class-specific guidance.",
-      "mitigationVerdict": "unreachable-in-prod",
-      "mitigationsApplied": [],
-      "mitigatedByWaf": false,
-      "wafRuleId": null,
-      "mitigatedByAuth": false,
-      "authMechanism": null,
-      "mitigatedByNetwork": false,
-      "networkExposure": null,
-      "featureFlag": null,
-      "featureFlagState": null,
-      "featureFlagRollout": null,
-      "exposedInProd": false,
-      "unreachableInProd": true,
-      "coldPath": false,
-      "hotPath": false,
-      "prodRequestCount": null,
-      "crownJewelScore": 0.15,
-      "crownJewelTier": "low-value",
-      "crownJewelFactors": [
-        "shell-execution"
-      ],
-      "cloneClusterId": "a0c829a31c63bf1a",
-      "cloneClusterSize": 5,
-      "provenance": "human-likely",
-      "provenanceScore": 0,
-      "typeNarrowed": null,
-      "strideCategory": null,
-      "personaScores": {
-        "script-kiddie": {
-          "score": 0.65,
-          "tier": "high",
-          "factors": [
-            "sev:high"
-          ]
-        },
-        "opportunistic-criminal": {
-          "score": 0.85,
-          "tier": "critical",
-          "factors": [
-            "sev:high",
-            "bias:mass-assignment+0.20"
-          ]
-        },
-        "apt-nation-state": {
-          "score": 0.65,
-          "tier": "high",
-          "factors": [
-            "sev:high"
-          ]
-        },
-        "supply-chain-attacker": {
-          "score": 0.65,
-          "tier": "high",
-          "factors": [
-            "sev:high"
-          ]
-        },
-        "malicious-insider": {
-          "score": 1,
-          "tier": "critical",
-          "factors": [
-            "sev:high",
-            "bias:mass-assignment+0.25",
-            "authz-bypass-favored"
-          ]
-        }
-      },
-      "personaTopTwo": [
-        "malicious-insider",
-        "opportunistic-criminal"
-      ],
-      "personaMaxName": "malicious-insider",
-      "personaMaxScore": 1,
-      "reverseExposure": null,
-      "specMined": null,
-      "whyFired": {
-        "detector": "sast/mass-assignment",
-        "ruleId": "CWE-915",
-        "parser": "STRUCTURAL",
-        "evidence": {
-          "sinkSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
-          "sourceSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
-          "pathSteps": [],
-          "sanitizers": [],
-          "guards": []
-        },
-        "considered": {
-          "suppressionsApplied": [],
-          "suppressionsSkipped": [],
-          "reachabilityFilter": "unaffected",
-          "clusterCollapsed": false,
-          "typeNarrowed": false,
-          "crownJewelTier": "low-value",
-          "mitigationVerdict": "unreachable-in-prod"
-        },
-        "scanner": {
-          "rulesetVersion": null,
-          "packHash": null,
-          "modelId": null
-        }
-      },
-      "adversaryTranscript": null,
-      "predictedBountyUsd": {
-        "low": 50,
-        "likely": 200,
-        "high": 600,
-        "program": "web2"
-      },
-      "bountyConfidence": "medium",
-      "attackPlaybook": {
-        "cwe": "CWE-915",
-        "kind": "curl",
-        "title": "Mass assignment — privilege escalation probe",
-        "instruction": "Submit an extra field (role) on profile update; verify it sticks.",
-        "script": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test.\n# CWE-915 — Mass assignment\ncurl -s -i -X PATCH \"${TARGET_URL}/api/me\" \\\n  -H \"Authorization: Bearer ${TEST_TOKEN}\" -H \"Content-Type: application/json\" \\\n  -d '{\"name\":\"x\",\"role\":\"admin\"}'\n# Confirmed when subsequent /api/me returns role=admin.",
-        "ethics": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test."
-      }
-    },
-    {
-      "id": "struct:parser-rb.js:201:Mass_Assignment_(req.body_Direct_to_Model)",
-      "kind": "sast",
-      "severity": "high",
-      "vuln": "Mass Assignment (req.body Direct to Model)",
-      "cwe": "CWE-915",
-      "owaspLlm": null,
-      "stride": "Tampering",
-      "file": "parser-rb.js",
-      "line": 201,
-      "snippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
-      "fix": null,
-      "reachable": false,
-      "triage": 39,
-      "dataClasses": [],
-      "chain": null,
-      "confidence": 0.314,
-      "toxicity": 35,
-      "toxicityFactors": [
-        "high-severity",
-        "http-facing"
-      ],
-      "toxicityLabel": "Medium",
-      "sources": null,
-      "epssScore": null,
-      "epssPercentile": null,
-      "epssCve": null,
-      "exploitedNow": false,
-      "tags": null,
-      "blastRadius": {
-        "scope": "all-users",
-        "dataAtRisk": [
-          "config"
-        ],
-        "userCount": 50,
-        "industry": "generic",
-        "jurisdictions": [],
-        "controlsApplied": [],
-        "dollarBest": 23250,
-        "dollarLikely": 136250,
-        "dollarWorst": 775000,
-        "dollarLow": 23250,
-        "dollarHigh": 775000,
-        "components": {
-          "incidentResponse": {
-            "low": 8000,
-            "likely": 50000,
-            "high": 250000
-          },
-          "legal": {
-            "low": 10000,
-            "likely": 75000,
-            "high": 500000
-          },
-          "crisisPR": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "notification": {
-            "low": 5000,
-            "likely": 10000,
-            "high": 15000
-          },
-          "creditMonitoring": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "regulatoryFines": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "directDamage": {
-            "low": 250,
-            "likely": 1250,
-            "high": 10000
-          },
-          "classAction": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "lostBusiness": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          }
-        },
-        "dominantDriver": "legal counsel",
-        "comparable": "GitHub mass-assignment 2012 → public ridicule + emergency rebuild",
-        "confidence": "low",
-        "narrative": "Mass Assignment (req.body Direct to Model) on `parser-rb.js:201` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: GitHub mass-assignment 2012 → public ridicule + emergency rebuild."
-      },
-      "stableId": "1889976dc0f1120c",
-      "confidenceTier": "low",
-      "exploitability": 0.45,
-      "exploitabilityTier": "medium",
-      "exploitabilityFactors": [
-        "sev:high",
-        "unreachable"
-      ],
-      "clusterSize": null,
-      "unreachable": false,
-      "validator_verdict": "unvalidated",
-      "llm_confidence": null,
-      "unvalidated": true,
-      "cross_language": false,
-      "family": "mass-assignment",
-      "parser": "STRUCTURAL",
-      "_unsigned": false,
-      "_passThroughSigning": false,
-      "signatureStatus": "verified",
-      "regression_test": null,
-      "poc": null,
-      "calibrated_confidence": null,
-      "calibrated_confidence_ci": null,
-      "calibrated_n": 5,
-      "calibration_reason": "insufficient-samples",
-      "verifier_verdict": "cannot-verify",
-      "verifier_reason": "no-poc-no-sanitizer-rule",
-      "verifier_runner": null,
-      "narration": "A finding of type \"Mass Assignment (req.body Direct to Model)\" at parser-rb.js:?. Severity: high. Review the remediation field for class-specific guidance.",
-      "mitigationVerdict": "unreachable-in-prod",
-      "mitigationsApplied": [],
-      "mitigatedByWaf": false,
-      "wafRuleId": null,
-      "mitigatedByAuth": false,
-      "authMechanism": null,
-      "mitigatedByNetwork": false,
-      "networkExposure": null,
-      "featureFlag": null,
-      "featureFlagState": null,
-      "featureFlagRollout": null,
-      "exposedInProd": false,
-      "unreachableInProd": true,
-      "coldPath": false,
-      "hotPath": false,
-      "prodRequestCount": null,
-      "crownJewelScore": 0.15,
-      "crownJewelTier": "low-value",
-      "crownJewelFactors": [
-        "shell-execution"
-      ],
-      "cloneClusterId": "a0c829a31c63bf1a",
-      "cloneClusterSize": 5,
-      "provenance": "human-likely",
-      "provenanceScore": 0,
-      "typeNarrowed": null,
-      "strideCategory": null,
-      "personaScores": {
-        "script-kiddie": {
-          "score": 0.65,
-          "tier": "high",
-          "factors": [
-            "sev:high"
-          ]
-        },
-        "opportunistic-criminal": {
-          "score": 0.85,
-          "tier": "critical",
-          "factors": [
-            "sev:high",
-            "bias:mass-assignment+0.20"
-          ]
-        },
-        "apt-nation-state": {
-          "score": 0.65,
-          "tier": "high",
-          "factors": [
-            "sev:high"
-          ]
-        },
-        "supply-chain-attacker": {
-          "score": 0.65,
-          "tier": "high",
-          "factors": [
-            "sev:high"
-          ]
-        },
-        "malicious-insider": {
-          "score": 1,
-          "tier": "critical",
-          "factors": [
-            "sev:high",
-            "bias:mass-assignment+0.25",
-            "authz-bypass-favored"
-          ]
-        }
-      },
-      "personaTopTwo": [
-        "malicious-insider",
-        "opportunistic-criminal"
-      ],
-      "personaMaxName": "malicious-insider",
-      "personaMaxScore": 1,
-      "reverseExposure": null,
-      "specMined": null,
-      "whyFired": {
-        "detector": "sast/mass-assignment",
-        "ruleId": "CWE-915",
-        "parser": "STRUCTURAL",
-        "evidence": {
-          "sinkSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
-          "sourceSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
-          "pathSteps": [],
-          "sanitizers": [],
-          "guards": []
-        },
-        "considered": {
-          "suppressionsApplied": [],
-          "suppressionsSkipped": [],
-          "reachabilityFilter": "unaffected",
-          "clusterCollapsed": false,
-          "typeNarrowed": false,
-          "crownJewelTier": "low-value",
-          "mitigationVerdict": "unreachable-in-prod"
-        },
-        "scanner": {
-          "rulesetVersion": null,
-          "packHash": null,
-          "modelId": null
-        }
-      },
-      "adversaryTranscript": null,
-      "predictedBountyUsd": {
-        "low": 50,
-        "likely": 200,
-        "high": 600,
-        "program": "web2"
-      },
-      "bountyConfidence": "medium",
-      "attackPlaybook": {
-        "cwe": "CWE-915",
-        "kind": "curl",
-        "title": "Mass assignment — privilege escalation probe",
-        "instruction": "Submit an extra field (role) on profile update; verify it sticks.",
-        "script": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test.\n# CWE-915 — Mass assignment\ncurl -s -i -X PATCH \"${TARGET_URL}/api/me\" \\\n  -H \"Authorization: Bearer ${TEST_TOKEN}\" -H \"Content-Type: application/json\" \\\n  -d '{\"name\":\"x\",\"role\":\"admin\"}'\n# Confirmed when subsequent /api/me returns role=admin.",
-        "ethics": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test."
-      }
-    },
-    {
-      "id": "struct:type-stubs.js:48:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "kind": "sast",
-      "severity": "medium",
-      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
-      "cwe": "CWE-400",
-      "owaspLlm": null,
-      "stride": "Denial of Service",
-      "file": "type-stubs.js",
-      "line": 48,
-      "snippet": "try { inputs.push(p + ':' + fs.statSync(fp).mtimeMs); } catch {}",
-      "fix": null,
-      "reachable": false,
-      "triage": 22,
-      "dataClasses": [],
-      "chain": null,
-      "confidence": 0.212,
-      "toxicity": 28,
-      "toxicityFactors": [
-        "http-facing"
-      ],
-      "toxicityLabel": "Medium",
-      "sources": null,
-      "epssScore": null,
-      "epssPercentile": null,
-      "epssCve": null,
-      "exploitedNow": false,
-      "tags": null,
-      "blastRadius": {
-        "scope": "all-users",
-        "dataAtRisk": [
-          "config"
-        ],
-        "userCount": 50,
-        "industry": "generic",
-        "jurisdictions": [],
-        "controlsApplied": [],
-        "dollarBest": 23250,
-        "dollarLikely": 136250,
-        "dollarWorst": 775000,
-        "dollarLow": 23250,
-        "dollarHigh": 775000,
-        "components": {
-          "incidentResponse": {
-            "low": 8000,
-            "likely": 50000,
-            "high": 250000
-          },
-          "legal": {
-            "low": 10000,
-            "likely": 75000,
-            "high": 500000
-          },
-          "crisisPR": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "notification": {
-            "low": 5000,
-            "likely": 10000,
-            "high": 15000
-          },
-          "creditMonitoring": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "regulatoryFines": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "directDamage": {
-            "low": 250,
-            "likely": 1250,
-            "high": 10000
-          },
-          "classAction": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "lostBusiness": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          }
-        },
-        "dominantDriver": "legal counsel",
-        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
-        "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:48` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
-      },
-      "stableId": "de7f5b06a0db0ac9",
-      "confidenceTier": "very-low",
-      "exploitability": 0.2,
-      "exploitabilityTier": "low",
-      "exploitabilityFactors": [
-        "sev:medium",
-        "unreachable"
-      ],
-      "clusterSize": null,
-      "unreachable": false,
-      "validator_verdict": "unvalidated",
-      "llm_confidence": null,
-      "unvalidated": true,
-      "cross_language": false,
-      "family": "dos-sync-io",
-      "parser": "STRUCTURAL",
-      "_unsigned": false,
-      "_passThroughSigning": false,
-      "signatureStatus": "verified",
-      "regression_test": null,
-      "poc": null,
-      "calibrated_confidence": null,
-      "calibrated_confidence_ci": null,
-      "calibrated_n": 0,
-      "calibration_reason": "no-history",
-      "verifier_verdict": "cannot-verify",
-      "verifier_reason": "no-poc-no-sanitizer-rule",
-      "verifier_runner": null,
-      "narration": null,
-      "mitigationVerdict": "unreachable-in-prod",
-      "mitigationsApplied": [],
-      "mitigatedByWaf": false,
-      "wafRuleId": null,
-      "mitigatedByAuth": false,
-      "authMechanism": null,
-      "mitigatedByNetwork": false,
-      "networkExposure": null,
-      "featureFlag": null,
-      "featureFlagState": null,
-      "featureFlagRollout": null,
-      "exposedInProd": false,
-      "unreachableInProd": true,
-      "coldPath": false,
-      "hotPath": false,
-      "prodRequestCount": null,
-      "crownJewelScore": 0.15,
-      "crownJewelTier": "low-value",
-      "crownJewelFactors": [
-        "shell-execution"
-      ],
-      "cloneClusterId": "1ca765ccc2c8227c",
-      "cloneClusterSize": 2,
-      "provenance": "human-likely",
-      "provenanceScore": 0.12,
-      "typeNarrowed": null,
-      "strideCategory": "denialOfService",
-      "personaScores": {
-        "script-kiddie": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "opportunistic-criminal": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "apt-nation-state": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "supply-chain-attacker": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "malicious-insider": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        }
-      },
-      "personaTopTwo": [
-        "script-kiddie",
-        "opportunistic-criminal"
-      ],
-      "personaMaxName": "script-kiddie",
-      "personaMaxScore": 0.4,
-      "reverseExposure": null,
-      "specMined": null,
-      "whyFired": {
-        "detector": "sast/dos-sync-io",
-        "ruleId": "CWE-400",
-        "parser": "STRUCTURAL",
-        "evidence": {
-          "sinkSnippet": "try { inputs.push(p + ':' + fs.statSync(fp).mtimeMs); } catch {}",
-          "sourceSnippet": "try { inputs.push(p + ':' + fs.statSync(fp).mtimeMs); } catch {}",
-          "pathSteps": [],
-          "sanitizers": [],
-          "guards": []
-        },
-        "considered": {
-          "suppressionsApplied": [],
-          "suppressionsSkipped": [],
-          "reachabilityFilter": "unaffected",
-          "clusterCollapsed": false,
-          "typeNarrowed": false,
-          "crownJewelTier": "low-value",
-          "mitigationVerdict": "unreachable-in-prod"
-        },
-        "scanner": {
-          "rulesetVersion": null,
-          "packHash": null,
-          "modelId": null
-        }
-      },
-      "adversaryTranscript": null,
-      "predictedBountyUsd": {
-        "low": 10,
-        "likely": 40,
-        "high": 120,
-        "program": "web2"
-      },
-      "bountyConfidence": "high",
-      "attackPlaybook": null
-    },
-    {
-      "id": "struct:type-stubs.js:57:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "kind": "sast",
-      "severity": "medium",
-      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
-      "cwe": "CWE-400",
-      "owaspLlm": null,
-      "stride": "Denial of Service",
-      "file": "type-stubs.js",
-      "line": 57,
-      "snippet": "if (!fs.existsSync(fp)) return null;",
-      "fix": null,
-      "reachable": false,
-      "triage": 22,
-      "dataClasses": [],
-      "chain": null,
-      "confidence": 0.212,
-      "toxicity": 28,
-      "toxicityFactors": [
-        "http-facing"
-      ],
-      "toxicityLabel": "Medium",
-      "sources": null,
-      "epssScore": null,
-      "epssPercentile": null,
-      "epssCve": null,
-      "exploitedNow": false,
-      "tags": null,
-      "blastRadius": {
-        "scope": "all-users",
-        "dataAtRisk": [
-          "config"
-        ],
-        "userCount": 50,
-        "industry": "generic",
-        "jurisdictions": [],
-        "controlsApplied": [],
-        "dollarBest": 23250,
-        "dollarLikely": 136250,
-        "dollarWorst": 775000,
-        "dollarLow": 23250,
-        "dollarHigh": 775000,
-        "components": {
-          "incidentResponse": {
-            "low": 8000,
-            "likely": 50000,
-            "high": 250000
-          },
-          "legal": {
-            "low": 10000,
-            "likely": 75000,
-            "high": 500000
-          },
-          "crisisPR": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "notification": {
-            "low": 5000,
-            "likely": 10000,
-            "high": 15000
-          },
-          "creditMonitoring": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "regulatoryFines": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "directDamage": {
-            "low": 250,
-            "likely": 1250,
-            "high": 10000
-          },
-          "classAction": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "lostBusiness": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          }
-        },
-        "dominantDriver": "legal counsel",
-        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
-        "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:57` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
-      },
-      "stableId": "256de17293c86e74",
-      "confidenceTier": "very-low",
-      "exploitability": 0.2,
-      "exploitabilityTier": "low",
-      "exploitabilityFactors": [
-        "sev:medium",
-        "unreachable"
-      ],
-      "clusterSize": null,
-      "unreachable": false,
-      "validator_verdict": "unvalidated",
-      "llm_confidence": null,
-      "unvalidated": true,
-      "cross_language": false,
-      "family": "dos-sync-io",
-      "parser": "STRUCTURAL",
-      "_unsigned": false,
-      "_passThroughSigning": false,
-      "signatureStatus": "verified",
-      "regression_test": null,
-      "poc": null,
-      "calibrated_confidence": null,
-      "calibrated_confidence_ci": null,
-      "calibrated_n": 0,
-      "calibration_reason": "no-history",
-      "verifier_verdict": "cannot-verify",
-      "verifier_reason": "no-poc-no-sanitizer-rule",
-      "verifier_runner": null,
-      "narration": null,
-      "mitigationVerdict": "unreachable-in-prod",
-      "mitigationsApplied": [],
-      "mitigatedByWaf": false,
-      "wafRuleId": null,
-      "mitigatedByAuth": false,
-      "authMechanism": null,
-      "mitigatedByNetwork": false,
-      "networkExposure": null,
-      "featureFlag": null,
-      "featureFlagState": null,
-      "featureFlagRollout": null,
-      "exposedInProd": false,
-      "unreachableInProd": true,
-      "coldPath": false,
-      "hotPath": false,
-      "prodRequestCount": null,
-      "crownJewelScore": 0.15,
-      "crownJewelTier": "low-value",
-      "crownJewelFactors": [
-        "shell-execution"
-      ],
-      "cloneClusterId": "66b8a8c25816e7f9",
-      "cloneClusterSize": 2,
-      "provenance": "human-likely",
-      "provenanceScore": 0.12,
-      "typeNarrowed": null,
-      "strideCategory": "denialOfService",
-      "personaScores": {
-        "script-kiddie": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "opportunistic-criminal": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "apt-nation-state": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "supply-chain-attacker": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "malicious-insider": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        }
-      },
-      "personaTopTwo": [
-        "script-kiddie",
-        "opportunistic-criminal"
-      ],
-      "personaMaxName": "script-kiddie",
-      "personaMaxScore": 0.4,
-      "reverseExposure": null,
-      "specMined": null,
-      "whyFired": {
-        "detector": "sast/dos-sync-io",
-        "ruleId": "CWE-400",
-        "parser": "STRUCTURAL",
-        "evidence": {
-          "sinkSnippet": "if (!fs.existsSync(fp)) return null;",
-          "sourceSnippet": "if (!fs.existsSync(fp)) return null;",
-          "pathSteps": [],
-          "sanitizers": [],
-          "guards": []
-        },
-        "considered": {
-          "suppressionsApplied": [],
-          "suppressionsSkipped": [],
-          "reachabilityFilter": "unaffected",
-          "clusterCollapsed": false,
-          "typeNarrowed": false,
-          "crownJewelTier": "low-value",
-          "mitigationVerdict": "unreachable-in-prod"
-        },
-        "scanner": {
-          "rulesetVersion": null,
-          "packHash": null,
-          "modelId": null
-        }
-      },
-      "adversaryTranscript": null,
-      "predictedBountyUsd": {
-        "low": 10,
-        "likely": 40,
-        "high": 120,
-        "program": "web2"
-      },
-      "bountyConfidence": "high",
-      "attackPlaybook": null
-    },
-    {
-      "id": "struct:type-stubs.js:58:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "kind": "sast",
-      "severity": "medium",
-      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
-      "cwe": "CWE-400",
-      "owaspLlm": null,
-      "stride": "Denial of Service",
-      "file": "type-stubs.js",
-      "line": 58,
-      "snippet": "const obj = JSON.parse(fs.readFileSync(fp, 'utf8'));",
-      "fix": null,
-      "reachable": false,
-      "triage": 22,
-      "dataClasses": [],
-      "chain": null,
-      "confidence": 0.212,
-      "toxicity": 28,
-      "toxicityFactors": [
-        "http-facing"
-      ],
-      "toxicityLabel": "Medium",
-      "sources": null,
-      "epssScore": null,
-      "epssPercentile": null,
-      "epssCve": null,
-      "exploitedNow": false,
-      "tags": null,
-      "blastRadius": {
-        "scope": "all-users",
-        "dataAtRisk": [
-          "config"
-        ],
-        "userCount": 50,
-        "industry": "generic",
-        "jurisdictions": [],
-        "controlsApplied": [],
-        "dollarBest": 23250,
-        "dollarLikely": 136250,
-        "dollarWorst": 775000,
-        "dollarLow": 23250,
-        "dollarHigh": 775000,
-        "components": {
-          "incidentResponse": {
-            "low": 8000,
-            "likely": 50000,
-            "high": 250000
-          },
-          "legal": {
-            "low": 10000,
-            "likely": 75000,
-            "high": 500000
-          },
-          "crisisPR": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "notification": {
-            "low": 5000,
-            "likely": 10000,
-            "high": 15000
-          },
-          "creditMonitoring": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "regulatoryFines": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "directDamage": {
-            "low": 250,
-            "likely": 1250,
-            "high": 10000
-          },
-          "classAction": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "lostBusiness": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          }
-        },
-        "dominantDriver": "legal counsel",
-        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
-        "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:58` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
-      },
-      "stableId": "4f8d060ad72a925a",
-      "confidenceTier": "very-low",
-      "exploitability": 0.2,
-      "exploitabilityTier": "low",
-      "exploitabilityFactors": [
-        "sev:medium",
-        "unreachable"
-      ],
-      "clusterSize": null,
-      "unreachable": false,
-      "validator_verdict": "unvalidated",
-      "llm_confidence": null,
-      "unvalidated": true,
-      "cross_language": false,
-      "family": "dos-sync-io",
-      "parser": "STRUCTURAL",
-      "_unsigned": false,
-      "_passThroughSigning": false,
-      "signatureStatus": "verified",
-      "regression_test": null,
-      "poc": null,
-      "calibrated_confidence": null,
-      "calibrated_confidence_ci": null,
-      "calibrated_n": 0,
-      "calibration_reason": "no-history",
-      "verifier_verdict": "cannot-verify",
-      "verifier_reason": "no-poc-no-sanitizer-rule",
-      "verifier_runner": null,
-      "narration": null,
-      "mitigationVerdict": "unreachable-in-prod",
-      "mitigationsApplied": [],
-      "mitigatedByWaf": false,
-      "wafRuleId": null,
-      "mitigatedByAuth": false,
-      "authMechanism": null,
-      "mitigatedByNetwork": false,
-      "networkExposure": null,
-      "featureFlag": null,
-      "featureFlagState": null,
-      "featureFlagRollout": null,
-      "exposedInProd": false,
-      "unreachableInProd": true,
-      "coldPath": false,
-      "hotPath": false,
-      "prodRequestCount": null,
-      "crownJewelScore": 0.15,
-      "crownJewelTier": "low-value",
-      "crownJewelFactors": [
-        "shell-execution"
-      ],
-      "cloneClusterId": "8b60c3f57d48c622",
-      "cloneClusterSize": 1,
-      "provenance": "human-likely",
-      "provenanceScore": 0.12,
-      "typeNarrowed": null,
-      "strideCategory": "denialOfService",
-      "personaScores": {
-        "script-kiddie": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "opportunistic-criminal": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "apt-nation-state": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "supply-chain-attacker": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "malicious-insider": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        }
-      },
-      "personaTopTwo": [
-        "script-kiddie",
-        "opportunistic-criminal"
-      ],
-      "personaMaxName": "script-kiddie",
-      "personaMaxScore": 0.4,
-      "reverseExposure": null,
-      "specMined": null,
-      "whyFired": {
-        "detector": "sast/dos-sync-io",
-        "ruleId": "CWE-400",
-        "parser": "STRUCTURAL",
-        "evidence": {
-          "sinkSnippet": "const obj = JSON.parse(fs.readFileSync(fp, 'utf8'));",
-          "sourceSnippet": "const obj = JSON.parse(fs.readFileSync(fp, 'utf8'));",
-          "pathSteps": [],
-          "sanitizers": [],
-          "guards": []
-        },
-        "considered": {
-          "suppressionsApplied": [],
-          "suppressionsSkipped": [],
-          "reachabilityFilter": "unaffected",
-          "clusterCollapsed": false,
-          "typeNarrowed": false,
-          "crownJewelTier": "low-value",
-          "mitigationVerdict": "unreachable-in-prod"
-        },
-        "scanner": {
-          "rulesetVersion": null,
-          "packHash": null,
-          "modelId": null
-        }
-      },
-      "adversaryTranscript": null,
-      "predictedBountyUsd": {
-        "low": 10,
-        "likely": 40,
-        "high": 120,
-        "program": "web2"
-      },
-      "bountyConfidence": "high",
-      "attackPlaybook": null
-    },
-    {
-      "id": "struct:type-stubs.js:79:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "kind": "sast",
-      "severity": "medium",
-      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
-      "cwe": "CWE-400",
-      "owaspLlm": null,
-      "stride": "Denial of Service",
-      "file": "type-stubs.js",
-      "line": 79,
-      "snippet": "try { fs.writeFileSync(fp, JSON.stringify(obj)); } catch {}",
-      "fix": null,
-      "reachable": false,
-      "triage": 22,
-      "dataClasses": [],
-      "chain": null,
-      "confidence": 0.212,
-      "toxicity": 28,
-      "toxicityFactors": [
-        "http-facing"
-      ],
-      "toxicityLabel": "Medium",
-      "sources": null,
-      "epssScore": null,
-      "epssPercentile": null,
-      "epssCve": null,
-      "exploitedNow": false,
-      "tags": null,
-      "blastRadius": {
-        "scope": "all-users",
-        "dataAtRisk": [
-          "config"
-        ],
-        "userCount": 50,
-        "industry": "generic",
-        "jurisdictions": [],
-        "controlsApplied": [],
-        "dollarBest": 23250,
-        "dollarLikely": 136250,
-        "dollarWorst": 775000,
-        "dollarLow": 23250,
-        "dollarHigh": 775000,
-        "components": {
-          "incidentResponse": {
-            "low": 8000,
-            "likely": 50000,
-            "high": 250000
-          },
-          "legal": {
-            "low": 10000,
-            "likely": 75000,
-            "high": 500000
-          },
-          "crisisPR": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "notification": {
-            "low": 5000,
-            "likely": 10000,
-            "high": 15000
-          },
-          "creditMonitoring": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "regulatoryFines": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "directDamage": {
-            "low": 250,
-            "likely": 1250,
-            "high": 10000
-          },
-          "classAction": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "lostBusiness": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          }
-        },
-        "dominantDriver": "legal counsel",
-        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
-        "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:79` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
-      },
-      "stableId": "e7a40ff787e8c228",
-      "confidenceTier": "very-low",
-      "exploitability": 0.2,
-      "exploitabilityTier": "low",
-      "exploitabilityFactors": [
-        "sev:medium",
-        "unreachable"
-      ],
-      "clusterSize": null,
-      "unreachable": false,
-      "validator_verdict": "unvalidated",
-      "llm_confidence": null,
-      "unvalidated": true,
-      "cross_language": false,
-      "family": "dos-sync-io",
-      "parser": "STRUCTURAL",
-      "_unsigned": false,
-      "_passThroughSigning": false,
-      "signatureStatus": "verified",
-      "regression_test": null,
-      "poc": null,
-      "calibrated_confidence": null,
-      "calibrated_confidence_ci": null,
-      "calibrated_n": 0,
-      "calibration_reason": "no-history",
-      "verifier_verdict": "cannot-verify",
-      "verifier_reason": "no-poc-no-sanitizer-rule",
-      "verifier_runner": null,
-      "narration": null,
-      "mitigationVerdict": "unreachable-in-prod",
-      "mitigationsApplied": [],
-      "mitigatedByWaf": false,
-      "wafRuleId": null,
-      "mitigatedByAuth": false,
-      "authMechanism": null,
-      "mitigatedByNetwork": false,
-      "networkExposure": null,
-      "featureFlag": null,
-      "featureFlagState": null,
-      "featureFlagRollout": null,
-      "exposedInProd": false,
-      "unreachableInProd": true,
-      "coldPath": false,
-      "hotPath": false,
-      "prodRequestCount": null,
-      "crownJewelScore": 0.15,
-      "crownJewelTier": "low-value",
-      "crownJewelFactors": [
-        "shell-execution"
-      ],
-      "cloneClusterId": "d2ce1948de2c53fb",
-      "cloneClusterSize": 1,
-      "provenance": "human-likely",
-      "provenanceScore": 0.12,
-      "typeNarrowed": null,
-      "strideCategory": "denialOfService",
-      "personaScores": {
-        "script-kiddie": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "opportunistic-criminal": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "apt-nation-state": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "supply-chain-attacker": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "malicious-insider": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        }
-      },
-      "personaTopTwo": [
-        "script-kiddie",
-        "opportunistic-criminal"
-      ],
-      "personaMaxName": "script-kiddie",
-      "personaMaxScore": 0.4,
-      "reverseExposure": null,
-      "specMined": null,
-      "whyFired": {
-        "detector": "sast/dos-sync-io",
-        "ruleId": "CWE-400",
-        "parser": "STRUCTURAL",
-        "evidence": {
-          "sinkSnippet": "try { fs.writeFileSync(fp, JSON.stringify(obj)); } catch {}",
-          "sourceSnippet": "try { fs.writeFileSync(fp, JSON.stringify(obj)); } catch {}",
-          "pathSteps": [],
-          "sanitizers": [],
-          "guards": []
-        },
-        "considered": {
-          "suppressionsApplied": [],
-          "suppressionsSkipped": [],
-          "reachabilityFilter": "unaffected",
-          "clusterCollapsed": false,
-          "typeNarrowed": false,
-          "crownJewelTier": "low-value",
-          "mitigationVerdict": "unreachable-in-prod"
-        },
-        "scanner": {
-          "rulesetVersion": null,
-          "packHash": null,
-          "modelId": null
-        }
-      },
-      "adversaryTranscript": null,
-      "predictedBountyUsd": {
-        "low": 10,
-        "likely": 40,
-        "high": 120,
-        "program": "web2"
-      },
-      "bountyConfidence": "high",
-      "attackPlaybook": null
-    },
-    {
-      "id": "struct:type-stubs.js:190:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "kind": "sast",
-      "severity": "medium",
-      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
-      "cwe": "CWE-400",
-      "owaspLlm": null,
-      "stride": "Denial of Service",
-      "file": "type-stubs.js",
-      "line": 190,
-      "snippet": "try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }",
-      "fix": null,
-      "reachable": false,
-      "triage": 22,
-      "dataClasses": [],
-      "chain": null,
-      "confidence": 0.212,
-      "toxicity": 28,
-      "toxicityFactors": [
-        "http-facing"
-      ],
-      "toxicityLabel": "Medium",
-      "sources": null,
-      "epssScore": null,
-      "epssPercentile": null,
-      "epssCve": null,
-      "exploitedNow": false,
-      "tags": null,
-      "blastRadius": {
-        "scope": "all-users",
-        "dataAtRisk": [
-          "config"
-        ],
-        "userCount": 50,
-        "industry": "generic",
-        "jurisdictions": [],
-        "controlsApplied": [],
-        "dollarBest": 23250,
-        "dollarLikely": 136250,
-        "dollarWorst": 775000,
-        "dollarLow": 23250,
-        "dollarHigh": 775000,
-        "components": {
-          "incidentResponse": {
-            "low": 8000,
-            "likely": 50000,
-            "high": 250000
-          },
-          "legal": {
-            "low": 10000,
-            "likely": 75000,
-            "high": 500000
-          },
-          "crisisPR": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "notification": {
-            "low": 5000,
-            "likely": 10000,
-            "high": 15000
-          },
-          "creditMonitoring": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "regulatoryFines": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "directDamage": {
-            "low": 250,
-            "likely": 1250,
-            "high": 10000
-          },
-          "classAction": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "lostBusiness": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          }
-        },
-        "dominantDriver": "legal counsel",
-        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
-        "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:190` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
-      },
-      "stableId": "db5b5598e24d7b37",
-      "confidenceTier": "very-low",
-      "exploitability": 0.2,
-      "exploitabilityTier": "low",
-      "exploitabilityFactors": [
-        "sev:medium",
-        "unreachable"
-      ],
-      "clusterSize": null,
-      "unreachable": false,
-      "validator_verdict": "unvalidated",
-      "llm_confidence": null,
-      "unvalidated": true,
-      "cross_language": false,
-      "family": "dos-sync-io",
-      "parser": "STRUCTURAL",
-      "_unsigned": false,
-      "_passThroughSigning": false,
-      "signatureStatus": "verified",
-      "regression_test": null,
-      "poc": null,
-      "calibrated_confidence": null,
-      "calibrated_confidence_ci": null,
-      "calibrated_n": 0,
-      "calibration_reason": "no-history",
-      "verifier_verdict": "cannot-verify",
-      "verifier_reason": "no-poc-no-sanitizer-rule",
-      "verifier_runner": null,
-      "narration": null,
-      "mitigationVerdict": "unreachable-in-prod",
-      "mitigationsApplied": [],
-      "mitigatedByWaf": false,
-      "wafRuleId": null,
-      "mitigatedByAuth": false,
-      "authMechanism": null,
-      "mitigatedByNetwork": false,
-      "networkExposure": null,
-      "featureFlag": null,
-      "featureFlagState": null,
-      "featureFlagRollout": null,
-      "exposedInProd": false,
-      "unreachableInProd": true,
-      "coldPath": false,
-      "hotPath": false,
-      "prodRequestCount": null,
-      "crownJewelScore": 0.15,
-      "crownJewelTier": "low-value",
-      "crownJewelFactors": [
-        "shell-execution"
-      ],
-      "cloneClusterId": "b093e72efde4b555",
-      "cloneClusterSize": 1,
-      "provenance": "human-likely",
-      "provenanceScore": 0.12,
-      "typeNarrowed": null,
-      "strideCategory": "denialOfService",
-      "personaScores": {
-        "script-kiddie": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "opportunistic-criminal": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "apt-nation-state": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "supply-chain-attacker": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "malicious-insider": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        }
-      },
-      "personaTopTwo": [
-        "script-kiddie",
-        "opportunistic-criminal"
-      ],
-      "personaMaxName": "script-kiddie",
-      "personaMaxScore": 0.4,
-      "reverseExposure": null,
-      "specMined": null,
-      "whyFired": {
-        "detector": "sast/dos-sync-io",
-        "ruleId": "CWE-400",
-        "parser": "STRUCTURAL",
-        "evidence": {
-          "sinkSnippet": "try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }",
-          "sourceSnippet": "try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }",
-          "pathSteps": [],
-          "sanitizers": [],
-          "guards": []
-        },
-        "considered": {
-          "suppressionsApplied": [],
-          "suppressionsSkipped": [],
-          "reachabilityFilter": "unaffected",
-          "clusterCollapsed": false,
-          "typeNarrowed": false,
-          "crownJewelTier": "low-value",
-          "mitigationVerdict": "unreachable-in-prod"
-        },
-        "scanner": {
-          "rulesetVersion": null,
-          "packHash": null,
-          "modelId": null
-        }
-      },
-      "adversaryTranscript": null,
-      "predictedBountyUsd": {
-        "low": 10,
-        "likely": 40,
-        "high": 120,
-        "program": "web2"
-      },
-      "bountyConfidence": "high",
-      "attackPlaybook": null
-    },
-    {
-      "id": "struct:type-stubs.js:198:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "kind": "sast",
-      "severity": "medium",
-      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
-      "cwe": "CWE-400",
-      "owaspLlm": null,
-      "stride": "Denial of Service",
-      "file": "type-stubs.js",
-      "line": 198,
-      "snippet": "if (fs.existsSync(tdir)) walk(tdir, depth + 1);",
-      "fix": null,
-      "reachable": false,
-      "triage": 22,
-      "dataClasses": [],
-      "chain": null,
-      "confidence": 0.212,
-      "toxicity": 28,
-      "toxicityFactors": [
-        "http-facing"
-      ],
-      "toxicityLabel": "Medium",
-      "sources": null,
-      "epssScore": null,
-      "epssPercentile": null,
-      "epssCve": null,
-      "exploitedNow": false,
-      "tags": null,
-      "blastRadius": {
-        "scope": "all-users",
-        "dataAtRisk": [
-          "config"
-        ],
-        "userCount": 50,
-        "industry": "generic",
-        "jurisdictions": [],
-        "controlsApplied": [],
-        "dollarBest": 23250,
-        "dollarLikely": 136250,
-        "dollarWorst": 775000,
-        "dollarLow": 23250,
-        "dollarHigh": 775000,
-        "components": {
-          "incidentResponse": {
-            "low": 8000,
-            "likely": 50000,
-            "high": 250000
-          },
-          "legal": {
-            "low": 10000,
-            "likely": 75000,
-            "high": 500000
-          },
-          "crisisPR": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "notification": {
-            "low": 5000,
-            "likely": 10000,
-            "high": 15000
-          },
-          "creditMonitoring": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "regulatoryFines": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "directDamage": {
-            "low": 250,
-            "likely": 1250,
-            "high": 10000
-          },
-          "classAction": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "lostBusiness": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          }
-        },
-        "dominantDriver": "legal counsel",
-        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
-        "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:198` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
-      },
-      "stableId": "da0930b64e53120b",
-      "confidenceTier": "very-low",
-      "exploitability": 0.2,
-      "exploitabilityTier": "low",
-      "exploitabilityFactors": [
-        "sev:medium",
-        "unreachable"
-      ],
-      "clusterSize": null,
-      "unreachable": false,
-      "validator_verdict": "unvalidated",
-      "llm_confidence": null,
-      "unvalidated": true,
-      "cross_language": false,
-      "family": "dos-sync-io",
-      "parser": "STRUCTURAL",
-      "_unsigned": false,
-      "_passThroughSigning": false,
-      "signatureStatus": "verified",
-      "regression_test": null,
-      "poc": null,
-      "calibrated_confidence": null,
-      "calibrated_confidence_ci": null,
-      "calibrated_n": 0,
-      "calibration_reason": "no-history",
-      "verifier_verdict": "cannot-verify",
-      "verifier_reason": "no-poc-no-sanitizer-rule",
-      "verifier_runner": null,
-      "narration": null,
-      "mitigationVerdict": "unreachable-in-prod",
-      "mitigationsApplied": [],
-      "mitigatedByWaf": false,
-      "wafRuleId": null,
-      "mitigatedByAuth": false,
-      "authMechanism": null,
-      "mitigatedByNetwork": false,
-      "networkExposure": null,
-      "featureFlag": null,
-      "featureFlagState": null,
-      "featureFlagRollout": null,
-      "exposedInProd": false,
-      "unreachableInProd": true,
-      "coldPath": false,
-      "hotPath": false,
-      "prodRequestCount": null,
-      "crownJewelScore": 0.15,
-      "crownJewelTier": "low-value",
-      "crownJewelFactors": [
-        "shell-execution"
-      ],
-      "cloneClusterId": "5e5357c1989b7538",
-      "cloneClusterSize": 1,
-      "provenance": "human-likely",
-      "provenanceScore": 0.12,
-      "typeNarrowed": null,
-      "strideCategory": "denialOfService",
-      "personaScores": {
-        "script-kiddie": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "opportunistic-criminal": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "apt-nation-state": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "supply-chain-attacker": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "malicious-insider": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        }
-      },
-      "personaTopTwo": [
-        "script-kiddie",
-        "opportunistic-criminal"
-      ],
-      "personaMaxName": "script-kiddie",
-      "personaMaxScore": 0.4,
-      "reverseExposure": null,
-      "specMined": null,
-      "whyFired": {
-        "detector": "sast/dos-sync-io",
-        "ruleId": "CWE-400",
-        "parser": "STRUCTURAL",
-        "evidence": {
-          "sinkSnippet": "if (fs.existsSync(tdir)) walk(tdir, depth + 1);",
-          "sourceSnippet": "if (fs.existsSync(tdir)) walk(tdir, depth + 1);",
-          "pathSteps": [],
-          "sanitizers": [],
-          "guards": []
-        },
-        "considered": {
-          "suppressionsApplied": [],
-          "suppressionsSkipped": [],
-          "reachabilityFilter": "unaffected",
-          "clusterCollapsed": false,
-          "typeNarrowed": false,
-          "crownJewelTier": "low-value",
-          "mitigationVerdict": "unreachable-in-prod"
-        },
-        "scanner": {
-          "rulesetVersion": null,
-          "packHash": null,
-          "modelId": null
-        }
-      },
-      "adversaryTranscript": null,
-      "predictedBountyUsd": {
-        "low": 10,
-        "likely": 40,
-        "high": 120,
-        "program": "web2"
-      },
-      "bountyConfidence": "high",
-      "attackPlaybook": null
-    },
-    {
-      "id": "struct:type-stubs.js:216:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "kind": "sast",
-      "severity": "medium",
-      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
-      "cwe": "CWE-400",
-      "owaspLlm": null,
-      "stride": "Denial of Service",
-      "file": "type-stubs.js",
-      "line": 216,
-      "snippet": "const pkg = JSON.parse(fs.readFileSync(path.join(root, 'package.json'), 'utf8'));",
-      "fix": null,
-      "reachable": false,
-      "triage": 22,
-      "dataClasses": [],
-      "chain": null,
-      "confidence": 0.212,
-      "toxicity": 28,
-      "toxicityFactors": [
-        "http-facing"
-      ],
-      "toxicityLabel": "Medium",
-      "sources": null,
-      "epssScore": null,
-      "epssPercentile": null,
-      "epssCve": null,
-      "exploitedNow": false,
-      "tags": null,
-      "blastRadius": {
-        "scope": "all-users",
-        "dataAtRisk": [
-          "config"
-        ],
-        "userCount": 50,
-        "industry": "generic",
-        "jurisdictions": [],
-        "controlsApplied": [],
-        "dollarBest": 23250,
-        "dollarLikely": 136250,
-        "dollarWorst": 775000,
-        "dollarLow": 23250,
-        "dollarHigh": 775000,
-        "components": {
-          "incidentResponse": {
-            "low": 8000,
-            "likely": 50000,
-            "high": 250000
-          },
-          "legal": {
-            "low": 10000,
-            "likely": 75000,
-            "high": 500000
-          },
-          "crisisPR": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "notification": {
-            "low": 5000,
-            "likely": 10000,
-            "high": 15000
-          },
-          "creditMonitoring": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "regulatoryFines": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "directDamage": {
-            "low": 250,
-            "likely": 1250,
-            "high": 10000
-          },
-          "classAction": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "lostBusiness": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          }
-        },
-        "dominantDriver": "legal counsel",
-        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
-        "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:216` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
-      },
-      "stableId": "9f54fa968991f0c8",
-      "confidenceTier": "very-low",
-      "exploitability": 0.2,
-      "exploitabilityTier": "low",
-      "exploitabilityFactors": [
-        "sev:medium",
-        "unreachable"
-      ],
-      "clusterSize": null,
-      "unreachable": false,
-      "validator_verdict": "unvalidated",
-      "llm_confidence": null,
-      "unvalidated": true,
-      "cross_language": false,
-      "family": "dos-sync-io",
-      "parser": "STRUCTURAL",
-      "_unsigned": false,
-      "_passThroughSigning": false,
-      "signatureStatus": "verified",
-      "regression_test": null,
-      "poc": null,
-      "calibrated_confidence": null,
-      "calibrated_confidence_ci": null,
-      "calibrated_n": 0,
-      "calibration_reason": "no-history",
-      "verifier_verdict": "cannot-verify",
-      "verifier_reason": "no-poc-no-sanitizer-rule",
-      "verifier_runner": null,
-      "narration": null,
-      "mitigationVerdict": "unreachable-in-prod",
-      "mitigationsApplied": [],
-      "mitigatedByWaf": false,
-      "wafRuleId": null,
-      "mitigatedByAuth": false,
-      "authMechanism": null,
-      "mitigatedByNetwork": false,
-      "networkExposure": null,
-      "featureFlag": null,
-      "featureFlagState": null,
-      "featureFlagRollout": null,
-      "exposedInProd": false,
-      "unreachableInProd": true,
-      "coldPath": false,
-      "hotPath": false,
-      "prodRequestCount": null,
-      "crownJewelScore": 0.15,
-      "crownJewelTier": "low-value",
-      "crownJewelFactors": [
-        "shell-execution"
-      ],
-      "cloneClusterId": "f686c808d16515e4",
-      "cloneClusterSize": 1,
-      "provenance": "human-likely",
-      "provenanceScore": 0.12,
-      "typeNarrowed": null,
-      "strideCategory": "denialOfService",
-      "personaScores": {
-        "script-kiddie": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "opportunistic-criminal": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "apt-nation-state": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "supply-chain-attacker": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "malicious-insider": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        }
-      },
-      "personaTopTwo": [
-        "script-kiddie",
-        "opportunistic-criminal"
-      ],
-      "personaMaxName": "script-kiddie",
-      "personaMaxScore": 0.4,
-      "reverseExposure": null,
-      "specMined": null,
-      "whyFired": {
-        "detector": "sast/dos-sync-io",
-        "ruleId": "CWE-400",
-        "parser": "STRUCTURAL",
-        "evidence": {
-          "sinkSnippet": "const pkg = JSON.parse(fs.readFileSync(path.join(root, 'package.json'), 'utf8'));",
-          "sourceSnippet": "const pkg = JSON.parse(fs.readFileSync(path.join(root, 'package.json'), 'utf8'));",
-          "pathSteps": [],
-          "sanitizers": [],
-          "guards": []
-        },
-        "considered": {
-          "suppressionsApplied": [],
-          "suppressionsSkipped": [],
-          "reachabilityFilter": "unaffected",
-          "clusterCollapsed": false,
-          "typeNarrowed": false,
-          "crownJewelTier": "low-value",
-          "mitigationVerdict": "unreachable-in-prod"
-        },
-        "scanner": {
-          "rulesetVersion": null,
-          "packHash": null,
-          "modelId": null
-        }
-      },
-      "adversaryTranscript": null,
-      "predictedBountyUsd": {
-        "low": 10,
-        "likely": 40,
-        "high": 120,
-        "program": "web2"
-      },
-      "bountyConfidence": "high",
-      "attackPlaybook": null
-    },
-    {
-      "id": "struct:type-stubs.js:245:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "kind": "sast",
-      "severity": "medium",
-      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
-      "cwe": "CWE-400",
-      "owaspLlm": null,
-      "stride": "Denial of Service",
-      "file": "type-stubs.js",
-      "line": 245,
-      "snippet": "try { body = fs.readFileSync(f.path, 'utf8'); } catch { continue; }",
-      "fix": null,
-      "reachable": false,
-      "triage": 22,
-      "dataClasses": [],
-      "chain": null,
-      "confidence": 0.212,
-      "toxicity": 28,
-      "toxicityFactors": [
-        "http-facing"
-      ],
-      "toxicityLabel": "Medium",
-      "sources": null,
-      "epssScore": null,
-      "epssPercentile": null,
-      "epssCve": null,
-      "exploitedNow": false,
-      "tags": null,
-      "blastRadius": {
-        "scope": "all-users",
-        "dataAtRisk": [
-          "config"
-        ],
-        "userCount": 50,
-        "industry": "generic",
-        "jurisdictions": [],
-        "controlsApplied": [],
-        "dollarBest": 23250,
-        "dollarLikely": 136250,
-        "dollarWorst": 775000,
-        "dollarLow": 23250,
-        "dollarHigh": 775000,
-        "components": {
-          "incidentResponse": {
-            "low": 8000,
-            "likely": 50000,
-            "high": 250000
-          },
-          "legal": {
-            "low": 10000,
-            "likely": 75000,
-            "high": 500000
-          },
-          "crisisPR": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "notification": {
-            "low": 5000,
-            "likely": 10000,
-            "high": 15000
-          },
-          "creditMonitoring": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "regulatoryFines": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "directDamage": {
-            "low": 250,
-            "likely": 1250,
-            "high": 10000
-          },
-          "classAction": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "lostBusiness": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          }
-        },
-        "dominantDriver": "legal counsel",
-        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
-        "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:245` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
-      },
-      "stableId": "d7f878f4239f7f2f",
-      "confidenceTier": "very-low",
-      "exploitability": 0.2,
-      "exploitabilityTier": "low",
-      "exploitabilityFactors": [
-        "sev:medium",
-        "unreachable"
-      ],
-      "clusterSize": null,
-      "unreachable": false,
-      "validator_verdict": "unvalidated",
-      "llm_confidence": null,
-      "unvalidated": true,
-      "cross_language": false,
-      "family": "dos-sync-io",
-      "parser": "STRUCTURAL",
-      "_unsigned": false,
-      "_passThroughSigning": false,
-      "signatureStatus": "verified",
-      "regression_test": null,
-      "poc": null,
-      "calibrated_confidence": null,
-      "calibrated_confidence_ci": null,
-      "calibrated_n": 0,
-      "calibration_reason": "no-history",
-      "verifier_verdict": "cannot-verify",
-      "verifier_reason": "no-poc-no-sanitizer-rule",
-      "verifier_runner": null,
-      "narration": null,
-      "mitigationVerdict": "unreachable-in-prod",
-      "mitigationsApplied": [],
-      "mitigatedByWaf": false,
-      "wafRuleId": null,
-      "mitigatedByAuth": false,
-      "authMechanism": null,
-      "mitigatedByNetwork": false,
-      "networkExposure": null,
-      "featureFlag": null,
-      "featureFlagState": null,
-      "featureFlagRollout": null,
-      "exposedInProd": false,
-      "unreachableInProd": true,
-      "coldPath": false,
-      "hotPath": false,
-      "prodRequestCount": null,
-      "crownJewelScore": 0.15,
-      "crownJewelTier": "low-value",
-      "crownJewelFactors": [
-        "shell-execution"
-      ],
-      "cloneClusterId": "01bed4bbdd04761a",
-      "cloneClusterSize": 1,
-      "provenance": "human-likely",
-      "provenanceScore": 0.12,
-      "typeNarrowed": null,
-      "strideCategory": "denialOfService",
-      "personaScores": {
-        "script-kiddie": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "opportunistic-criminal": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "apt-nation-state": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "supply-chain-attacker": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "malicious-insider": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        }
-      },
-      "personaTopTwo": [
-        "script-kiddie",
-        "opportunistic-criminal"
-      ],
-      "personaMaxName": "script-kiddie",
-      "personaMaxScore": 0.4,
-      "reverseExposure": null,
-      "specMined": null,
-      "whyFired": {
-        "detector": "sast/dos-sync-io",
-        "ruleId": "CWE-400",
-        "parser": "STRUCTURAL",
-        "evidence": {
-          "sinkSnippet": "try { body = fs.readFileSync(f.path, 'utf8'); } catch { continue; }",
-          "sourceSnippet": "try { body = fs.readFileSync(f.path, 'utf8'); } catch { continue; }",
-          "pathSteps": [],
-          "sanitizers": [],
-          "guards": []
-        },
-        "considered": {
-          "suppressionsApplied": [],
-          "suppressionsSkipped": [],
-          "reachabilityFilter": "unaffected",
-          "clusterCollapsed": false,
-          "typeNarrowed": false,
-          "crownJewelTier": "low-value",
-          "mitigationVerdict": "unreachable-in-prod"
-        },
-        "scanner": {
-          "rulesetVersion": null,
-          "packHash": null,
-          "modelId": null
-        }
-      },
-      "adversaryTranscript": null,
-      "predictedBountyUsd": {
-        "low": 10,
-        "likely": 40,
-        "high": 120,
-        "program": "web2"
-      },
-      "bountyConfidence": "high",
-      "attackPlaybook": null
-    },
-    {
-      "id": "struct:parser-py-cst.js:91:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "kind": "sast",
-      "severity": "medium",
-      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
-      "cwe": "CWE-400",
-      "owaspLlm": null,
-      "stride": "Denial of Service",
-      "file": "parser-py-cst.js",
-      "line": 91,
-      "snippet": "if (!fs.existsSync(HELPER_PATH)) return null;",
-      "fix": null,
-      "reachable": false,
-      "triage": 18,
-      "dataClasses": [],
-      "chain": null,
-      "confidence": 0.161,
-      "toxicity": 28,
-      "toxicityFactors": [
-        "http-facing"
-      ],
-      "toxicityLabel": "Medium",
-      "sources": null,
-      "epssScore": null,
-      "epssPercentile": null,
-      "epssCve": null,
-      "exploitedNow": false,
-      "tags": null,
-      "blastRadius": {
-        "scope": "all-users",
-        "dataAtRisk": [
-          "config"
-        ],
-        "userCount": 50,
-        "industry": "generic",
-        "jurisdictions": [],
-        "controlsApplied": [],
-        "dollarBest": 23250,
-        "dollarLikely": 136250,
-        "dollarWorst": 775000,
-        "dollarLow": 23250,
-        "dollarHigh": 775000,
-        "components": {
-          "incidentResponse": {
-            "low": 8000,
-            "likely": 50000,
-            "high": 250000
-          },
-          "legal": {
-            "low": 10000,
-            "likely": 75000,
-            "high": 500000
-          },
-          "crisisPR": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "notification": {
-            "low": 5000,
-            "likely": 10000,
-            "high": 15000
-          },
-          "creditMonitoring": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "regulatoryFines": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "directDamage": {
-            "low": 250,
-            "likely": 1250,
-            "high": 10000
-          },
-          "classAction": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "lostBusiness": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          }
-        },
-        "dominantDriver": "legal counsel",
-        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
-        "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `parser-py-cst.js:91` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
-      },
-      "stableId": "ca57234f46aecc6a",
-      "confidenceTier": "very-low",
-      "exploitability": 0.05,
-      "exploitabilityTier": "low",
-      "exploitabilityFactors": [
-        "sev:medium",
-        "unreachable",
-        "guards:1"
-      ],
-      "clusterSize": null,
-      "unreachable": false,
-      "validator_verdict": "unvalidated",
-      "llm_confidence": null,
-      "unvalidated": true,
-      "cross_language": false,
-      "family": "dos-sync-io",
-      "parser": "STRUCTURAL",
-      "_unsigned": false,
-      "_passThroughSigning": false,
-      "signatureStatus": "verified",
-      "regression_test": null,
-      "poc": null,
-      "calibrated_confidence": null,
-      "calibrated_confidence_ci": null,
-      "calibrated_n": 0,
-      "calibration_reason": "no-history",
-      "verifier_verdict": "cannot-verify",
-      "verifier_reason": "no-poc-no-sanitizer-rule",
-      "verifier_runner": null,
-      "narration": null,
-      "mitigationVerdict": "unreachable-in-prod",
-      "mitigationsApplied": [],
-      "mitigatedByWaf": false,
-      "wafRuleId": null,
-      "mitigatedByAuth": false,
-      "authMechanism": null,
-      "mitigatedByNetwork": false,
-      "networkExposure": null,
-      "featureFlag": null,
-      "featureFlagState": null,
-      "featureFlagRollout": null,
-      "exposedInProd": false,
-      "unreachableInProd": true,
-      "coldPath": false,
-      "hotPath": false,
-      "prodRequestCount": null,
-      "crownJewelScore": 0.15,
-      "crownJewelTier": "low-value",
-      "crownJewelFactors": [
-        "shell-execution"
-      ],
-      "cloneClusterId": "66b8a8c25816e7f9",
-      "cloneClusterSize": 2,
-      "provenance": "mixed",
-      "provenanceScore": 0.4,
-      "typeNarrowed": null,
-      "strideCategory": "denialOfService",
-      "personaScores": {
-        "script-kiddie": {
-          "score": 0.2,
-          "tier": "low",
-          "factors": [
-            "sev:medium",
-            "auth-gated:1"
-          ]
-        },
-        "opportunistic-criminal": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "apt-nation-state": {
-          "score": 0.35,
-          "tier": "medium",
-          "factors": [
-            "sev:medium",
-            "minor-auth-cost"
-          ]
-        },
-        "supply-chain-attacker": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "malicious-insider": {
-          "score": 0.3,
-          "tier": "low",
-          "factors": [
-            "sev:medium",
-            "insider-bypasses-edge"
-          ]
-        }
-      },
-      "personaTopTwo": [
-        "opportunistic-criminal",
-        "supply-chain-attacker"
-      ],
-      "personaMaxName": "opportunistic-criminal",
-      "personaMaxScore": 0.4,
-      "reverseExposure": null,
-      "specMined": null,
-      "whyFired": {
-        "detector": "sast/dos-sync-io",
-        "ruleId": "CWE-400",
-        "parser": "STRUCTURAL",
-        "evidence": {
-          "sinkSnippet": "if (!fs.existsSync(HELPER_PATH)) return null;",
-          "sourceSnippet": "if (!fs.existsSync(HELPER_PATH)) return null;",
-          "pathSteps": [],
-          "sanitizers": [],
-          "guards": [
-            "type-check"
-          ]
-        },
-        "considered": {
-          "suppressionsApplied": [],
-          "suppressionsSkipped": [],
-          "reachabilityFilter": "unaffected",
-          "clusterCollapsed": false,
-          "typeNarrowed": false,
-          "crownJewelTier": "low-value",
-          "mitigationVerdict": "unreachable-in-prod"
-        },
-        "scanner": {
-          "rulesetVersion": null,
-          "packHash": null,
-          "modelId": null
-        }
-      },
-      "adversaryTranscript": null,
-      "predictedBountyUsd": {
-        "low": 10,
-        "likely": 40,
-        "high": 120,
-        "program": "web2"
-      },
-      "bountyConfidence": "high",
-      "attackPlaybook": null
-    },
-    {
-      "id": "toctou-fs:type-stubs.js:48",
-      "kind": "sast",
-      "severity": "medium",
-      "vuln": "TOCTOU: file existence/permission check before open",
-      "cwe": "CWE-367",
-      "owaspLlm": null,
-      "stride": "Tampering",
-      "file": "type-stubs.js",
-      "line": 48,
-      "snippet": "try { inputs.push(p + ':' + fs.statSync(fp).mtimeMs); } catch {}",
-      "fix": null,
-      "reachable": false,
-      "triage": 22,
-      "dataClasses": [],
-      "chain": null,
-      "confidence": 0.7,
-      "toxicity": 8,
-      "toxicityFactors": [],
-      "toxicityLabel": "Low",
-      "sources": null,
-      "epssScore": null,
-      "epssPercentile": null,
-      "epssCve": null,
-      "exploitedNow": false,
-      "tags": null,
-      "blastRadius": {
-        "scope": "all-users",
-        "dataAtRisk": [
-          "config"
-        ],
-        "userCount": 50,
-        "industry": "generic",
-        "jurisdictions": [],
-        "controlsApplied": [],
-        "dollarBest": 23250,
-        "dollarLikely": 136250,
-        "dollarWorst": 775000,
-        "dollarLow": 23250,
-        "dollarHigh": 775000,
-        "components": {
-          "incidentResponse": {
-            "low": 8000,
-            "likely": 50000,
-            "high": 250000
-          },
-          "legal": {
-            "low": 10000,
-            "likely": 75000,
-            "high": 500000
-          },
-          "crisisPR": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "notification": {
-            "low": 5000,
-            "likely": 10000,
-            "high": 15000
-          },
-          "creditMonitoring": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "regulatoryFines": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "directDamage": {
-            "low": 250,
-            "likely": 1250,
-            "high": 10000
-          },
-          "classAction": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "lostBusiness": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          }
-        },
-        "dominantDriver": "legal counsel",
-        "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
-        "confidence": "low",
-        "narrative": "TOCTOU: file existence/permission check before open on `type-stubs.js:48` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      },
-      "stableId": "d72348aa62acffcb",
-      "confidenceTier": "medium",
-      "exploitability": 0.2,
-      "exploitabilityTier": "low",
-      "exploitabilityFactors": [
-        "sev:medium",
-        "unreachable"
-      ],
-      "clusterSize": null,
-      "unreachable": false,
-      "validator_verdict": "unvalidated",
-      "llm_confidence": null,
-      "unvalidated": true,
-      "cross_language": false,
-      "family": "toctou-file-existence-permission-check-b",
-      "parser": "TOCTOU",
-      "_unsigned": false,
-      "_passThroughSigning": false,
-      "signatureStatus": "verified",
-      "regression_test": null,
-      "poc": null,
-      "calibrated_confidence": null,
-      "calibrated_confidence_ci": null,
-      "calibrated_n": 0,
-      "calibration_reason": "no-history",
-      "verifier_verdict": "cannot-verify",
-      "verifier_reason": "no-poc-no-sanitizer-rule",
-      "verifier_runner": null,
-      "narration": null,
-      "mitigationVerdict": "unreachable-in-prod",
-      "mitigationsApplied": [],
-      "mitigatedByWaf": false,
-      "wafRuleId": null,
-      "mitigatedByAuth": false,
-      "authMechanism": null,
-      "mitigatedByNetwork": false,
-      "networkExposure": null,
-      "featureFlag": null,
-      "featureFlagState": null,
-      "featureFlagRollout": null,
-      "exposedInProd": false,
-      "unreachableInProd": true,
-      "coldPath": false,
-      "hotPath": false,
-      "prodRequestCount": null,
-      "crownJewelScore": 0.15,
-      "crownJewelTier": "low-value",
-      "crownJewelFactors": [
-        "shell-execution"
-      ],
-      "cloneClusterId": "1ca765ccc2c8227c",
-      "cloneClusterSize": 2,
-      "provenance": "human-likely",
-      "provenanceScore": 0.12,
-      "typeNarrowed": null,
-      "strideCategory": "tampering",
-      "personaScores": {
-        "script-kiddie": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "opportunistic-criminal": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "apt-nation-state": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "supply-chain-attacker": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        },
-        "malicious-insider": {
-          "score": 0.4,
-          "tier": "medium",
-          "factors": [
-            "sev:medium"
-          ]
-        }
-      },
-      "personaTopTwo": [
-        "script-kiddie",
-        "opportunistic-criminal"
-      ],
-      "personaMaxName": "script-kiddie",
-      "personaMaxScore": 0.4,
-      "reverseExposure": null,
-      "specMined": null,
-      "whyFired": {
-        "detector": "sast/toctou-file-existence-permission-check-b",
-        "ruleId": "CWE-367",
-        "parser": "TOCTOU",
-        "evidence": {
-          "sinkSnippet": "try { inputs.push(p + ':' + fs.statSync(fp).mtimeMs); } catch {}",
-          "sourceSnippet": null,
-          "pathSteps": [],
-          "sanitizers": [],
-          "guards": []
-        },
-        "considered": {
-          "suppressionsApplied": [],
-          "suppressionsSkipped": [],
-          "reachabilityFilter": "unaffected",
-          "clusterCollapsed": false,
-          "typeNarrowed": false,
-          "crownJewelTier": "low-value",
-          "mitigationVerdict": "unreachable-in-prod"
-        },
-        "scanner": {
-          "rulesetVersion": null,
-          "packHash": null,
-          "modelId": null
-        }
-      },
-      "adversaryTranscript": null,
-      "predictedBountyUsd": null,
-      "bountyConfidence": null,
-      "attackPlaybook": null
-    },
-    {
-      "id": "logic:type-stubs.js:57:TOCTOU:_existsSync_followed_by_file_op",
-      "kind": "logic",
-      "severity": "medium",
-      "vuln": "TOCTOU: existsSync followed by file op",
-      "cwe": "CWE-367",
-      "stride": "Tampering",
-      "file": "type-stubs.js",
-      "line": 57,
-      "snippet": "if (!fs.existsSync(fp)) return null;",
-      "fix": {
-        "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
-        "code": ""
-      },
-      "blastRadius": {
-        "scope": "all-users",
-        "dataAtRisk": [
-          "config"
-        ],
-        "userCount": 50,
-        "industry": "generic",
-        "jurisdictions": [],
-        "controlsApplied": [],
-        "dollarBest": 23250,
-        "dollarLikely": 136250,
-        "dollarWorst": 775000,
-        "dollarLow": 23250,
-        "dollarHigh": 775000,
-        "components": {
-          "incidentResponse": {
-            "low": 8000,
-            "likely": 50000,
-            "high": 250000
-          },
-          "legal": {
-            "low": 10000,
-            "likely": 75000,
-            "high": 500000
-          },
-          "crisisPR": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "notification": {
-            "low": 5000,
-            "likely": 10000,
-            "high": 15000
-          },
-          "creditMonitoring": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "regulatoryFines": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "directDamage": {
-            "low": 250,
-            "likely": 1250,
-            "high": 10000
-          },
-          "classAction": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          },
-          "lostBusiness": {
-            "low": 0,
-            "likely": 0,
-            "high": 0
-          }
-        },
-        "dominantDriver": "legal counsel",
-        "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
-        "confidence": "low",
-        "narrative": "TOCTOU: existsSync followed by file op on `type-stubs.js:57` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      },
-      "parser": "LOGIC",
-      "family": null
-    }
-  ],
-  "bundles": [],
-  "routes": [],
-  "components": [],
-  "suppressedCount": 6,
-  "blastRadiusSignals": {
-    "industry": "generic",
-    "industryConfidence": "low",
-    "jurisdictions": [],
-    "controls": [],
-    "estimatedUsers": 50,
-    "revenueIndicator": "pre-revenue",
-    "hasStripe": false,
-    "hasAuth": false,
-    "hasUserTable": false,
-    "hasPII": false,
-    "hasPHI": false,
-    "hasS3": false
-  },
-  "_v3": {
-    "counterfactual": {
-      "spofControls": [],
-      "controlsDetected": 307
-    },
-    "threatModel": {
-      "summary": {
-        "assetCount": 0,
-        "boundaryCount": 2,
-        "strideCounts": {
-          "spoofing": 0,
-          "tampering": 1,
-          "repudiation": 0,
-          "informationDisclosure": 0,
-          "denialOfService": 9,
-          "elevationOfPrivilege": 0
-        }
-      },
-      "assets": [],
-      "trustBoundaries": [
-        {
-          "type": "db-edge",
-          "file": "parser-py-cst.js",
-          "line": 13,
-          "label": null
-        },
-        {
-          "type": "db-edge",
-          "file": "parser-py.js",
-          "line": 72,
-          "label": null
-        }
-      ],
-      "stride": {
-        "spoofing": [],
-        "tampering": [
-          {
-            "vuln": "TOCTOU: file existence/permission check before open",
-            "file": "type-stubs.js",
-            "line": 48,
-            "severity": "medium"
-          }
-        ],
-        "repudiation": [],
-        "informationDisclosure": [],
-        "denialOfService": [
-          {
-            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
-            "file": "type-stubs.js",
-            "severity": "medium"
-          },
-          {
-            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
-            "file": "type-stubs.js",
-            "severity": "medium"
-          },
-          {
-            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
-            "file": "type-stubs.js",
-            "severity": "medium"
-          },
-          {
-            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
-            "file": "type-stubs.js",
-            "severity": "medium"
-          },
-          {
-            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
-            "file": "type-stubs.js",
-            "severity": "medium"
-          },
-          {
-            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
-            "file": "type-stubs.js",
-            "severity": "medium"
-          },
-          {
-            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
-            "file": "type-stubs.js",
-            "severity": "medium"
-          },
-          {
-            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
-            "file": "type-stubs.js",
-            "severity": "medium"
-          },
-          {
-            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
-            "file": "parser-py-cst.js",
-            "severity": "medium"
-          }
-        ],
-        "elevationOfPrivilege": []
-      }
-    },
-    "trustBoundaryDiagram": {
-      "mermaid": "flowchart LR\n  INTERNET((Internet))\n  APP[\"Application\"]\n  db_parser_py_cst_js_13[(\"db@parser-py-cst.js:13\")]\n  db_parser_py_js_72[(\"db@parser-py.js:72\")]\n  APP -->|db| db_parser_py_cst_js_13\n  APP -->|db| db_parser_py_js_72\n  class db_parser_py_cst_js_13 sev_medium;\n  classDef sev_critical fill:#ffcccc,stroke:#a00,stroke-width:2px;\n  classDef sev_high fill:#ffe0b2,stroke:#c60,stroke-width:2px;\n  classDef sev_medium fill:#fff3cd,stroke:#a80;\n  classDef sev_low fill:#e8eaf6,stroke:#557;",
-      "nodes": [
-        {
-          "id": "INTERNET",
-          "kind": "external",
-          "label": "Internet"
-        },
-        {
-          "id": "APP",
-          "kind": "app",
-          "label": "Application"
-        },
-        {
-          "kind": "db",
-          "id": "db_parser_py_cst_js_13",
-          "label": "db@parser-py-cst.js:13"
-        },
-        {
-          "kind": "db",
-          "id": "db_parser_py_js_72",
-          "label": "db@parser-py.js:72"
-        }
-      ],
-      "edges": [
-        {
-          "from": "APP",
-          "to": "db_parser_py_cst_js_13",
-          "kind": "db"
-        },
-        {
-          "from": "APP",
-          "to": "db_parser_py_js_72",
-          "kind": "db"
-        }
-      ],
-      "decorations": [
-        {
-          "nodeId": "db_parser_py_cst_js_13",
-          "severity": "medium",
-          "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
-          "file": "parser-py-cst.js"
-        }
-      ]
-    },
-    "calibrationDrift": {
-      "alarms": [],
-      "note": "no-feedback-data"
-    }
-  },
-  "annotatorErrors": []
-}