@clear-capabilities/agentic-security-scanner 0.78.0 → 0.80.0

package/src/dataflow/.agentic-security/findings.json

@@ -1,23 +1,23 @@
 {
-  "scanId": "e19aeff8-8736-4df3-9d8d-a4d227edb6b1",
-  "startedAt": "2026-05-27T09:30:01.863Z",
-  "durationMs": 501,
+  "scanId": "dc3e8445-37ee-4ae3-bec0-5ce8794347c4",
+  "startedAt": "2026-05-29T06:49:35.694Z",
+  "durationMs": 593,
   "scanned": {
-    "files": 28,
+    "files": 35,
     "lines": 0
   },
   "findings": [
     {
-      "id": "struct:incremental.js:50:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:cross-service-taint.js:53:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
       "cwe": "CWE-400",
       "owaspLlm": null,
       "stride": "Denial of Service",
-      "file": "incremental.js",
-      "line": 50,
-      "snippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
+      "file": "cross-service-taint.js",
+      "line": 53,
+      "snippet": "if (!fs.existsSync(fp)) continue;",
       "fix": null,
       "reachable": false,
       "triage": 22,
@@ -99,9 +99,9 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:50` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `cross-service-taint.js:53` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
-      "stableId": "7e2db52a92ce3811",
+      "stableId": "e7d9ad9a119f1e24",
       "confidenceTier": "very-low",
       "exploitability": 0.2,
       "exploitabilityTier": "low",
@@ -149,10 +149,10 @@
       "crownJewelScore": 0,
       "crownJewelTier": "unknown",
       "crownJewelFactors": [],
-      "cloneClusterId": "bf9643a065f64945",
+      "cloneClusterId": "eed315f4ee037434",
       "cloneClusterSize": 2,
-      "provenance": "human-likely",
-      "provenanceScore": 0.22,
+      "provenance": "mixed",
+      "provenanceScore": 0.3,
       "typeNarrowed": null,
       "strideCategory": "denialOfService",
       "personaScores": {
@@ -205,8 +205,8 @@
         "ruleId": "CWE-400",
         "parser": "STRUCTURAL",
         "evidence": {
-          "sinkSnippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
-          "sourceSnippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
+          "sinkSnippet": "if (!fs.existsSync(fp)) continue;",
+          "sourceSnippet": "if (!fs.existsSync(fp)) continue;",
           "pathSteps": [],
           "sanitizers": [],
           "guards": []
@@ -237,16 +237,16 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:incremental.js:51:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:cross-service-taint.js:55:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
       "cwe": "CWE-400",
       "owaspLlm": null,
       "stride": "Denial of Service",
-      "file": "incremental.js",
-      "line": 51,
-      "snippet": "const v = JSON.parse(fs.readFileSync(versionFp, 'utf8'));",
+      "file": "cross-service-taint.js",
+      "line": 55,
+      "snippet": "const raw = fs.readFileSync(fp, 'utf8');",
       "fix": null,
       "reachable": false,
       "triage": 22,
@@ -328,9 +328,9 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:51` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `cross-service-taint.js:55` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
-      "stableId": "333259288508799a",
+      "stableId": "1c66011582a1e4e0",
       "confidenceTier": "very-low",
       "exploitability": 0.2,
       "exploitabilityTier": "low",
@@ -378,10 +378,10 @@
       "crownJewelScore": 0,
       "crownJewelTier": "unknown",
       "crownJewelFactors": [],
-      "cloneClusterId": "8b60c3f57d48c622",
+      "cloneClusterId": "cea363ef8f00c66a",
       "cloneClusterSize": 1,
-      "provenance": "human-likely",
-      "provenanceScore": 0.22,
+      "provenance": "mixed",
+      "provenanceScore": 0.3,
       "typeNarrowed": null,
       "strideCategory": "denialOfService",
       "personaScores": {
@@ -434,8 +434,8 @@
         "ruleId": "CWE-400",
         "parser": "STRUCTURAL",
         "evidence": {
-          "sinkSnippet": "const v = JSON.parse(fs.readFileSync(versionFp, 'utf8'));",
-          "sourceSnippet": "const v = JSON.parse(fs.readFileSync(versionFp, 'utf8'));",
+          "sinkSnippet": "const raw = fs.readFileSync(fp, 'utf8');",
+          "sourceSnippet": "const raw = fs.readFileSync(fp, 'utf8');",
           "pathSteps": [],
           "sanitizers": [],
           "guards": []
@@ -466,16 +466,16 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:incremental.js:68:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:cross-service-taint.js:97:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
       "cwe": "CWE-400",
       "owaspLlm": null,
       "stride": "Denial of Service",
-      "file": "incremental.js",
-      "line": 68,
-      "snippet": "if (!fs.existsSync(fp)) return fallback;",
+      "file": "cross-service-taint.js",
+      "line": 97,
+      "snippet": "if (fs.existsSync(pkg)) {",
       "fix": null,
       "reachable": false,
       "triage": 22,
@@ -557,9 +557,9 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:68` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `cross-service-taint.js:97` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
-      "stableId": "6862d6baf0b923f7",
+      "stableId": "de94397ba2f53ab7",
       "confidenceTier": "very-low",
       "exploitability": 0.2,
       "exploitabilityTier": "low",
@@ -607,10 +607,10 @@
       "crownJewelScore": 0,
       "crownJewelTier": "unknown",
       "crownJewelFactors": [],
-      "cloneClusterId": "39f1d6db55cace1d",
+      "cloneClusterId": "31e29761689a4980",
       "cloneClusterSize": 2,
-      "provenance": "human-likely",
-      "provenanceScore": 0.22,
+      "provenance": "mixed",
+      "provenanceScore": 0.3,
       "typeNarrowed": null,
       "strideCategory": "denialOfService",
       "personaScores": {
@@ -663,8 +663,8 @@
         "ruleId": "CWE-400",
         "parser": "STRUCTURAL",
         "evidence": {
-          "sinkSnippet": "if (!fs.existsSync(fp)) return fallback;",
-          "sourceSnippet": "if (!fs.existsSync(fp)) return fallback;",
+          "sinkSnippet": "if (fs.existsSync(pkg)) {",
+          "sourceSnippet": "if (fs.existsSync(pkg)) {",
           "pathSteps": [],
           "sanitizers": [],
           "guards": []
@@ -695,16 +695,16 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:incremental.js:69:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:cross-service-taint.js:98:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
       "cwe": "CWE-400",
       "owaspLlm": null,
       "stride": "Denial of Service",
-      "file": "incremental.js",
-      "line": 69,
-      "snippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
+      "file": "cross-service-taint.js",
+      "line": 98,
+      "snippet": "const j = JSON.parse(fs.readFileSync(pkg, 'utf8'));",
       "fix": null,
       "reachable": false,
       "triage": 22,
@@ -786,9 +786,9 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:69` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `cross-service-taint.js:98` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
-      "stableId": "7314934acc70477c",
+      "stableId": "99571f0208301347",
       "confidenceTier": "very-low",
       "exploitability": 0.2,
       "exploitabilityTier": "low",
@@ -836,10 +836,10 @@
       "crownJewelScore": 0,
       "crownJewelTier": "unknown",
       "crownJewelFactors": [],
-      "cloneClusterId": "b8a597058e30c50c",
-      "cloneClusterSize": 1,
-      "provenance": "human-likely",
-      "provenanceScore": 0.22,
+      "cloneClusterId": "8b60c3f57d48c622",
+      "cloneClusterSize": 3,
+      "provenance": "mixed",
+      "provenanceScore": 0.3,
       "typeNarrowed": null,
       "strideCategory": "denialOfService",
       "personaScores": {
@@ -892,8 +892,8 @@
         "ruleId": "CWE-400",
         "parser": "STRUCTURAL",
         "evidence": {
-          "sinkSnippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
-          "sourceSnippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
+          "sinkSnippet": "const j = JSON.parse(fs.readFileSync(pkg, 'utf8'));",
+          "sourceSnippet": "const j = JSON.parse(fs.readFileSync(pkg, 'utf8'));",
           "pathSteps": [],
           "sanitizers": [],
           "guards": []
@@ -924,16 +924,16 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:incremental.js:203:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:ifds-precise.js:177:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
       "cwe": "CWE-400",
       "owaspLlm": null,
       "stride": "Denial of Service",
-      "file": "incremental.js",
-      "line": 203,
-      "snippet": "fs.writeFileSync(path.join(dir, VERSION_PATH), JSON.stringify(currentVersion, null, 2));",
+      "file": "ifds-precise.js",
+      "line": 177,
+      "snippet": "if (!fs.existsSync(fp)) return null;",
       "fix": null,
       "reachable": false,
       "triage": 22,
@@ -1015,9 +1015,9 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:203` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `ifds-precise.js:177` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
-      "stableId": "71f79aead6c815a7",
+      "stableId": "c6dc986380dccb74",
       "confidenceTier": "very-low",
       "exploitability": 0.2,
       "exploitabilityTier": "low",
@@ -1065,10 +1065,10 @@
       "crownJewelScore": 0,
       "crownJewelTier": "unknown",
       "crownJewelFactors": [],
-      "cloneClusterId": "347295aac188671b",
-      "cloneClusterSize": 1,
-      "provenance": "human-likely",
-      "provenanceScore": 0.22,
+      "cloneClusterId": "66b8a8c25816e7f9",
+      "cloneClusterSize": 2,
+      "provenance": "mixed",
+      "provenanceScore": 0.32,
       "typeNarrowed": null,
       "strideCategory": "denialOfService",
       "personaScores": {
@@ -1121,8 +1121,8 @@
         "ruleId": "CWE-400",
         "parser": "STRUCTURAL",
         "evidence": {
-          "sinkSnippet": "fs.writeFileSync(path.join(dir, VERSION_PATH), JSON.stringify(currentVersion, null, 2));",
-          "sourceSnippet": "fs.writeFileSync(path.join(dir, VERSION_PATH), JSON.stringify(currentVersion, null, 2));",
+          "sinkSnippet": "if (!fs.existsSync(fp)) return null;",
+          "sourceSnippet": "if (!fs.existsSync(fp)) return null;",
           "pathSteps": [],
           "sanitizers": [],
           "guards": []
@@ -1153,16 +1153,16 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:incremental.js:204:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:ifds-precise.js:179:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
       "cwe": "CWE-400",
       "owaspLlm": null,
       "stride": "Denial of Service",
-      "file": "incremental.js",
-      "line": 204,
-      "snippet": "fs.writeFileSync(path.join(dir, FILES_PATH), JSON.stringify(state.files || {}, null, 2));",
+      "file": "ifds-precise.js",
+      "line": 179,
+      "snippet": "const raw = JSON.parse(fs.readFileSync(fp, 'utf8'));",
       "fix": null,
       "reachable": false,
       "triage": 22,
@@ -1244,9 +1244,9 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:204` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `ifds-precise.js:179` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
-      "stableId": "16f0befb55d2a11a",
+      "stableId": "4134d6705892e7a1",
       "confidenceTier": "very-low",
       "exploitability": 0.2,
       "exploitabilityTier": "low",
@@ -1294,10 +1294,10 @@
       "crownJewelScore": 0,
       "crownJewelTier": "unknown",
       "crownJewelFactors": [],
-      "cloneClusterId": "cd20f49000f1b531",
-      "cloneClusterSize": 1,
-      "provenance": "human-likely",
-      "provenanceScore": 0.22,
+      "cloneClusterId": "8b60c3f57d48c622",
+      "cloneClusterSize": 3,
+      "provenance": "mixed",
+      "provenanceScore": 0.32,
       "typeNarrowed": null,
       "strideCategory": "denialOfService",
       "personaScores": {
@@ -1350,8 +1350,8 @@
         "ruleId": "CWE-400",
         "parser": "STRUCTURAL",
         "evidence": {
-          "sinkSnippet": "fs.writeFileSync(path.join(dir, FILES_PATH), JSON.stringify(state.files || {}, null, 2));",
-          "sourceSnippet": "fs.writeFileSync(path.join(dir, FILES_PATH), JSON.stringify(state.files || {}, null, 2));",
+          "sinkSnippet": "const raw = JSON.parse(fs.readFileSync(fp, 'utf8'));",
+          "sourceSnippet": "const raw = JSON.parse(fs.readFileSync(fp, 'utf8'));",
           "pathSteps": [],
           "sanitizers": [],
           "guards": []
@@ -1382,16 +1382,16 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:incremental.js:209:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:ifds-precise.js:206:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
       "cwe": "CWE-400",
       "owaspLlm": null,
       "stride": "Denial of Service",
-      "file": "incremental.js",
-      "line": 209,
-      "snippet": "fs.writeFileSync(path.join(dir, SUMMARIES_PATH), JSON.stringify(payload));",
+      "file": "ifds-precise.js",
+      "line": 206,
+      "snippet": "try { fs.writeFileSync(_cachePath(scanRoot), JSON.stringify(out, null, 2)); }",
       "fix": null,
       "reachable": false,
       "triage": 22,
@@ -1473,9 +1473,9 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:209` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `ifds-precise.js:206` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
-      "stableId": "b6ab9f0eaa3c75e0",
+      "stableId": "e415f8ddbefa0072",
       "confidenceTier": "very-low",
       "exploitability": 0.2,
       "exploitabilityTier": "low",
@@ -1523,10 +1523,10 @@
       "crownJewelScore": 0,
       "crownJewelTier": "unknown",
       "crownJewelFactors": [],
-      "cloneClusterId": "4a06d0af981828b5",
+      "cloneClusterId": "3115ba55e9c87bc7",
       "cloneClusterSize": 1,
-      "provenance": "human-likely",
-      "provenanceScore": 0.22,
+      "provenance": "mixed",
+      "provenanceScore": 0.32,
       "typeNarrowed": null,
       "strideCategory": "denialOfService",
       "personaScores": {
@@ -1579,8 +1579,8 @@
         "ruleId": "CWE-400",
         "parser": "STRUCTURAL",
         "evidence": {
-          "sinkSnippet": "fs.writeFileSync(path.join(dir, SUMMARIES_PATH), JSON.stringify(payload));",
-          "sourceSnippet": "fs.writeFileSync(path.join(dir, SUMMARIES_PATH), JSON.stringify(payload));",
+          "sinkSnippet": "try { fs.writeFileSync(_cachePath(scanRoot), JSON.stringify(out, null, 2)); }",
+          "sourceSnippet": "try { fs.writeFileSync(_cachePath(scanRoot), JSON.stringify(out, null, 2)); }",
           "pathSteps": [],
           "sanitizers": [],
           "guards": []
@@ -1611,7 +1611,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:incremental.js:220:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:incremental.js:50:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -1619,8 +1619,8 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "incremental.js",
-      "line": 220,
-      "snippet": "if (!fs.existsSync(dir)) return true;",
+      "line": 50,
+      "snippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
       "fix": null,
       "reachable": false,
       "triage": 22,
@@ -1702,9 +1702,9 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:220` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:50` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
-      "stableId": "0276003493008082",
+      "stableId": "7e2db52a92ce3811",
       "confidenceTier": "very-low",
       "exploitability": 0.2,
       "exploitabilityTier": "low",
@@ -1752,8 +1752,8 @@
       "crownJewelScore": 0,
       "crownJewelTier": "unknown",
       "crownJewelFactors": [],
-      "cloneClusterId": "b7114d1d9de39865",
-      "cloneClusterSize": 1,
+      "cloneClusterId": "bf9643a065f64945",
+      "cloneClusterSize": 2,
       "provenance": "human-likely",
       "provenanceScore": 0.22,
       "typeNarrowed": null,
@@ -1808,8 +1808,8 @@
         "ruleId": "CWE-400",
         "parser": "STRUCTURAL",
         "evidence": {
-          "sinkSnippet": "if (!fs.existsSync(dir)) return true;",
-          "sourceSnippet": "if (!fs.existsSync(dir)) return true;",
+          "sinkSnippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
+          "sourceSnippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
           "pathSteps": [],
           "sanitizers": [],
           "guards": []
@@ -1840,7 +1840,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:incremental.js:223:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:incremental.js:51:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -1848,8 +1848,8 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "incremental.js",
-      "line": 223,
-      "snippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
+      "line": 51,
+      "snippet": "const v = JSON.parse(fs.readFileSync(versionFp, 'utf8'));",
       "fix": null,
       "reachable": false,
       "triage": 22,
@@ -1931,9 +1931,9 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:223` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:51` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
-      "stableId": "15ad072cb77cdfe4",
+      "stableId": "333259288508799a",
       "confidenceTier": "very-low",
       "exploitability": 0.2,
       "exploitabilityTier": "low",
@@ -1981,8 +1981,8 @@
       "crownJewelScore": 0,
       "crownJewelTier": "unknown",
       "crownJewelFactors": [],
-      "cloneClusterId": "07f8fac8b280cc73",
-      "cloneClusterSize": 1,
+      "cloneClusterId": "8b60c3f57d48c622",
+      "cloneClusterSize": 3,
       "provenance": "human-likely",
       "provenanceScore": 0.22,
       "typeNarrowed": null,
@@ -2037,8 +2037,8 @@
         "ruleId": "CWE-400",
         "parser": "STRUCTURAL",
         "evidence": {
-          "sinkSnippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
-          "sourceSnippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
+          "sinkSnippet": "const v = JSON.parse(fs.readFileSync(versionFp, 'utf8'));",
+          "sourceSnippet": "const v = JSON.parse(fs.readFileSync(versionFp, 'utf8'));",
           "pathSteps": [],
           "sanitizers": [],
           "guards": []
@@ -2069,25 +2069,27 @@
       "attackPlaybook": null
     },
     {
-      "id": "ssrf-meta-hardcoded:catalog.js:538",
+      "id": "struct:incremental.js:68:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
-      "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
-      "cwe": "CWE-918",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
       "owaspLlm": null,
-      "stride": "Information Disclosure",
-      "file": "catalog.js",
-      "line": 538,
-      "snippet": "remediation: 'Resolve the host first, reject 169.254.169.254 / RFC1918 / localhost; or proxy through a server-side allow-list.' } },",
+      "stride": "Denial of Service",
+      "file": "incremental.js",
+      "line": 68,
+      "snippet": "if (!fs.existsSync(fp)) return fallback;",
       "fix": null,
       "reachable": false,
       "triage": 22,
       "dataClasses": [],
       "chain": null,
-      "confidence": 0.7,
-      "toxicity": 8,
-      "toxicityFactors": [],
-      "toxicityLabel": "Low",
+      "confidence": 0.212,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
       "sources": null,
       "epssScore": null,
       "epssPercentile": null,
@@ -2097,17 +2099,17 @@
       "blastRadius": {
         "scope": "all-users",
         "dataAtRisk": [
-          "credentials"
+          "config"
         ],
         "userCount": 50,
         "industry": "generic",
         "jurisdictions": [],
         "controlsApplied": [],
-        "dollarBest": 24000,
-        "dollarLikely": 138000,
-        "dollarWorst": 777500,
-        "dollarLow": 24000,
-        "dollarHigh": 777500,
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
         "components": {
           "incidentResponse": {
             "low": 8000,
@@ -2140,9 +2142,9 @@
             "high": 0
           },
           "directDamage": {
-            "low": 1000,
-            "likely": 3000,
-            "high": 12500
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
           },
           "classAction": {
             "low": 0,
@@ -2156,12 +2158,12 @@
           }
         },
         "dominantDriver": "legal counsel",
-        "comparable": "Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "SSRF: explicit reference to cloud instance-metadata endpoint on `catalog.js:538` could expose production credentials and API keys. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $24k · likely $138k · worst $778k. Dominant driver: legal counsel. Comparable: Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:68` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
-      "stableId": "3dfe482b8d5e3a09",
-      "confidenceTier": "medium",
+      "stableId": "6862d6baf0b923f7",
+      "confidenceTier": "very-low",
       "exploitability": 0.2,
       "exploitabilityTier": "low",
       "exploitabilityFactors": [
@@ -2174,35 +2176,19 @@
       "llm_confidence": null,
       "unvalidated": true,
       "cross_language": false,
-      "family": "ssrf",
-      "parser": "SSRF-METADATA",
+      "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
-      "regression_test": {
-        "lang": "node",
-        "framework": null,
-        "filename": null,
-        "runHint": null,
-        "code": null
-      },
-      "poc": {
-        "lang": "node",
-        "kind": "http-payload",
-        "cwe": "CWE-918",
-        "family": "ssrf",
-        "runHint": "node poc.mjs",
-        "code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint:   POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload:    http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect:     sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run:        node poc.mjs\n// Exit code:  0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n  ? null\n  : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n  ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n  : URL_;\n\ntry {\n  const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n  const text = await r.text();\n  const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n  if (sig) {\n    process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n    process.exit(0);\n  }\n  process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n  process.exit(1);\n} catch (e) {\n  process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n  process.exit(2);\n}\n",
-        "paramKey": null,
-        "paramKeyConfidence": "low",
-        "paramKeyInferred": false
-      },
+      "regression_test": null,
+      "poc": null,
       "calibrated_confidence": null,
       "calibrated_confidence_ci": null,
-      "calibrated_n": 24,
-      "calibration_reason": "insufficient-samples",
-      "verifier_verdict": "verified-sanitizer-absence",
-      "verifier_reason": "no-sanitizer-in-window",
+      "calibrated_n": 0,
+      "calibration_reason": "no-history",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
       "verifier_runner": null,
       "narration": null,
       "mitigationVerdict": "unreachable-in-prod",
@@ -2221,17 +2207,15 @@
       "coldPath": false,
       "hotPath": false,
       "prodRequestCount": null,
-      "crownJewelScore": 0.15,
-      "crownJewelTier": "low-value",
-      "crownJewelFactors": [
-        "shell-execution"
-      ],
-      "cloneClusterId": null,
-      "cloneClusterSize": 1,
+      "crownJewelScore": 0,
+      "crownJewelTier": "unknown",
+      "crownJewelFactors": [],
+      "cloneClusterId": "39f1d6db55cace1d",
+      "cloneClusterSize": 2,
       "provenance": "human-likely",
-      "provenanceScore": 0.26,
+      "provenanceScore": 0.22,
       "typeNarrowed": null,
-      "strideCategory": "tampering",
+      "strideCategory": "denialOfService",
       "personaScores": {
         "script-kiddie": {
           "score": 0.4,
@@ -2241,19 +2225,17 @@
           ]
         },
         "opportunistic-criminal": {
-          "score": 0.6,
-          "tier": "high",
+          "score": 0.4,
+          "tier": "medium",
           "factors": [
-            "sev:medium",
-            "bias:ssrf+0.20"
+            "sev:medium"
           ]
         },
         "apt-nation-state": {
-          "score": 0.7,
-          "tier": "high",
+          "score": 0.4,
+          "tier": "medium",
           "factors": [
-            "sev:medium",
-            "bias:ssrf+0.30"
+            "sev:medium"
           ]
         },
         "supply-chain-attacker": {
@@ -2272,21 +2254,21 @@
         }
       },
       "personaTopTwo": [
-        "apt-nation-state",
+        "script-kiddie",
         "opportunistic-criminal"
       ],
-      "personaMaxName": "apt-nation-state",
-      "personaMaxScore": 0.7,
+      "personaMaxName": "script-kiddie",
+      "personaMaxScore": 0.4,
       "reverseExposure": null,
       "specMined": null,
       "whyFired": {
-        "detector": "sast/ssrf",
-        "ruleId": "CWE-918",
-        "parser": "SSRF-METADATA",
+        "detector": "sast/dos-sync-io",
+        "ruleId": "CWE-400",
+        "parser": "STRUCTURAL",
         "evidence": {
-          "sinkSnippet": "remediation: 'Resolve the host first, reject 169.254.169.254 / RFC1918 / localhost; or proxy through a server-side allow-list.' } },",
-          "sourceSnippet": null,
-          "pathSteps": [],
+          "sinkSnippet": "if (!fs.existsSync(fp)) return fallback;",
+          "sourceSnippet": "if (!fs.existsSync(fp)) return fallback;",
+          "pathSteps": [],
           "sanitizers": [],
           "guards": []
         },
@@ -2296,7 +2278,7 @@
           "reachabilityFilter": "unaffected",
           "clusterCollapsed": false,
           "typeNarrowed": false,
-          "crownJewelTier": "low-value",
+          "crownJewelTier": "unknown",
           "mitigationVerdict": "unreachable-in-prod"
         },
         "scanner": {
@@ -2307,34 +2289,36 @@
       },
       "adversaryTranscript": null,
       "predictedBountyUsd": {
-        "low": 30,
-        "likely": 120,
-        "high": 350,
+        "low": 10,
+        "likely": 40,
+        "high": 120,
         "program": "web2"
       },
       "bountyConfidence": "high",
       "attackPlaybook": null
     },
     {
-      "id": "ssrf-meta-hardcoded:exploit-prover.js:33",
+      "id": "struct:incremental.js:69:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
-      "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
-      "cwe": "CWE-918",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
       "owaspLlm": null,
-      "stride": "Information Disclosure",
-      "file": "exploit-prover.js",
-      "line": 33,
-      "snippet": "'CWE-918':  `http://169.254.169.254/latest/meta-data/`,             // SSRF",
+      "stride": "Denial of Service",
+      "file": "incremental.js",
+      "line": 69,
+      "snippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
       "fix": null,
       "reachable": false,
       "triage": 22,
       "dataClasses": [],
       "chain": null,
-      "confidence": 0.7,
-      "toxicity": 8,
-      "toxicityFactors": [],
-      "toxicityLabel": "Low",
+      "confidence": 0.212,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
       "sources": null,
       "epssScore": null,
       "epssPercentile": null,
@@ -2344,17 +2328,17 @@
       "blastRadius": {
         "scope": "all-users",
         "dataAtRisk": [
-          "credentials"
+          "config"
         ],
         "userCount": 50,
         "industry": "generic",
         "jurisdictions": [],
         "controlsApplied": [],
-        "dollarBest": 24000,
-        "dollarLikely": 138000,
-        "dollarWorst": 777500,
-        "dollarLow": 24000,
-        "dollarHigh": 777500,
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
         "components": {
           "incidentResponse": {
             "low": 8000,
@@ -2387,9 +2371,9 @@
             "high": 0
           },
           "directDamage": {
-            "low": 1000,
-            "likely": 3000,
-            "high": 12500
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
           },
           "classAction": {
             "low": 0,
@@ -2403,12 +2387,12 @@
           }
         },
         "dominantDriver": "legal counsel",
-        "comparable": "Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "SSRF: explicit reference to cloud instance-metadata endpoint on `exploit-prover.js:33` could expose production credentials and API keys. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $24k · likely $138k · worst $778k. Dominant driver: legal counsel. Comparable: Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:69` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
-      "stableId": "88ebc2728475812c",
-      "confidenceTier": "medium",
+      "stableId": "7314934acc70477c",
+      "confidenceTier": "very-low",
       "exploitability": 0.2,
       "exploitabilityTier": "low",
       "exploitabilityFactors": [
@@ -2421,35 +2405,19 @@
       "llm_confidence": null,
       "unvalidated": true,
       "cross_language": false,
-      "family": "ssrf",
-      "parser": "SSRF-METADATA",
+      "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
-      "regression_test": {
-        "lang": "node",
-        "framework": null,
-        "filename": null,
-        "runHint": null,
-        "code": null
-      },
-      "poc": {
-        "lang": "node",
-        "kind": "http-payload",
-        "cwe": "CWE-918",
-        "family": "ssrf",
-        "runHint": "node poc.mjs",
-        "code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint:   POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload:    http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect:     sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run:        node poc.mjs\n// Exit code:  0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n  ? null\n  : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n  ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n  : URL_;\n\ntry {\n  const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n  const text = await r.text();\n  const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n  if (sig) {\n    process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n    process.exit(0);\n  }\n  process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n  process.exit(1);\n} catch (e) {\n  process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n  process.exit(2);\n}\n",
-        "paramKey": null,
-        "paramKeyConfidence": "low",
-        "paramKeyInferred": false
-      },
+      "regression_test": null,
+      "poc": null,
       "calibrated_confidence": null,
       "calibrated_confidence_ci": null,
-      "calibrated_n": 24,
-      "calibration_reason": "insufficient-samples",
-      "verifier_verdict": "verified-sanitizer-absence",
-      "verifier_reason": "no-sanitizer-in-window",
+      "calibrated_n": 0,
+      "calibration_reason": "no-history",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
       "verifier_runner": null,
       "narration": null,
       "mitigationVerdict": "unreachable-in-prod",
@@ -2471,12 +2439,12 @@
       "crownJewelScore": 0,
       "crownJewelTier": "unknown",
       "crownJewelFactors": [],
-      "cloneClusterId": null,
+      "cloneClusterId": "b8a597058e30c50c",
       "cloneClusterSize": 1,
-      "provenance": "mixed",
-      "provenanceScore": 0.3,
+      "provenance": "human-likely",
+      "provenanceScore": 0.22,
       "typeNarrowed": null,
-      "strideCategory": "tampering",
+      "strideCategory": "denialOfService",
       "personaScores": {
         "script-kiddie": {
           "score": 0.4,
@@ -2486,19 +2454,17 @@
           ]
         },
         "opportunistic-criminal": {
-          "score": 0.6,
-          "tier": "high",
+          "score": 0.4,
+          "tier": "medium",
           "factors": [
-            "sev:medium",
-            "bias:ssrf+0.20"
+            "sev:medium"
           ]
         },
         "apt-nation-state": {
-          "score": 0.7,
-          "tier": "high",
+          "score": 0.4,
+          "tier": "medium",
           "factors": [
-            "sev:medium",
-            "bias:ssrf+0.30"
+            "sev:medium"
           ]
         },
         "supply-chain-attacker": {
@@ -2517,20 +2483,20 @@
         }
       },
       "personaTopTwo": [
-        "apt-nation-state",
+        "script-kiddie",
         "opportunistic-criminal"
       ],
-      "personaMaxName": "apt-nation-state",
-      "personaMaxScore": 0.7,
+      "personaMaxName": "script-kiddie",
+      "personaMaxScore": 0.4,
       "reverseExposure": null,
       "specMined": null,
       "whyFired": {
-        "detector": "sast/ssrf",
-        "ruleId": "CWE-918",
-        "parser": "SSRF-METADATA",
+        "detector": "sast/dos-sync-io",
+        "ruleId": "CWE-400",
+        "parser": "STRUCTURAL",
         "evidence": {
-          "sinkSnippet": "'CWE-918':  `http://169.254.169.254/latest/meta-data/`,             // SSRF",
-          "sourceSnippet": null,
+          "sinkSnippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
+          "sourceSnippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
           "pathSteps": [],
           "sanitizers": [],
           "guards": []
@@ -2552,34 +2518,36 @@
       },
       "adversaryTranscript": null,
       "predictedBountyUsd": {
-        "low": 30,
-        "likely": 120,
-        "high": 350,
+        "low": 10,
+        "likely": 40,
+        "high": 120,
         "program": "web2"
       },
       "bountyConfidence": "high",
       "attackPlaybook": null
     },
     {
-      "id": "toctou-fs:incremental.js:50",
+      "id": "struct:incremental.js:203:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
-      "vuln": "TOCTOU: file existence/permission check before open",
-      "cwe": "CWE-367",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
       "owaspLlm": null,
-      "stride": "Tampering",
+      "stride": "Denial of Service",
       "file": "incremental.js",
-      "line": 50,
-      "snippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
+      "line": 203,
+      "snippet": "fs.writeFileSync(path.join(dir, VERSION_PATH), JSON.stringify(currentVersion, null, 2));",
       "fix": null,
       "reachable": false,
       "triage": 22,
       "dataClasses": [],
       "chain": null,
-      "confidence": 0.7,
-      "toxicity": 8,
-      "toxicityFactors": [],
-      "toxicityLabel": "Low",
+      "confidence": 0.212,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
       "sources": null,
       "epssScore": null,
       "epssPercentile": null,
@@ -2648,12 +2616,12 @@
           }
         },
         "dominantDriver": "legal counsel",
-        "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "TOCTOU: file existence/permission check before open on `incremental.js:50` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:203` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
-      "stableId": "3184d498fcca8634",
-      "confidenceTier": "medium",
+      "stableId": "71f79aead6c815a7",
+      "confidenceTier": "very-low",
       "exploitability": 0.2,
       "exploitabilityTier": "low",
       "exploitabilityFactors": [
@@ -2666,8 +2634,8 @@
       "llm_confidence": null,
       "unvalidated": true,
       "cross_language": false,
-      "family": "toctou-file-existence-permission-check-b",
-      "parser": "TOCTOU",
+      "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -2700,12 +2668,12 @@
       "crownJewelScore": 0,
       "crownJewelTier": "unknown",
       "crownJewelFactors": [],
-      "cloneClusterId": "bf9643a065f64945",
-      "cloneClusterSize": 2,
+      "cloneClusterId": "347295aac188671b",
+      "cloneClusterSize": 1,
       "provenance": "human-likely",
       "provenanceScore": 0.22,
       "typeNarrowed": null,
-      "strideCategory": "tampering",
+      "strideCategory": "denialOfService",
       "personaScores": {
         "script-kiddie": {
           "score": 0.4,
@@ -2752,12 +2720,12 @@
       "reverseExposure": null,
       "specMined": null,
       "whyFired": {
-        "detector": "sast/toctou-file-existence-permission-check-b",
-        "ruleId": "CWE-367",
-        "parser": "TOCTOU",
+        "detector": "sast/dos-sync-io",
+        "ruleId": "CWE-400",
+        "parser": "STRUCTURAL",
         "evidence": {
-          "sinkSnippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
-          "sourceSnippet": null,
+          "sinkSnippet": "fs.writeFileSync(path.join(dir, VERSION_PATH), JSON.stringify(currentVersion, null, 2));",
+          "sourceSnippet": "fs.writeFileSync(path.join(dir, VERSION_PATH), JSON.stringify(currentVersion, null, 2));",
           "pathSteps": [],
           "sanitizers": [],
           "guards": []
@@ -2778,30 +2746,37 @@
         }
       },
       "adversaryTranscript": null,
-      "predictedBountyUsd": null,
-      "bountyConfidence": null,
+      "predictedBountyUsd": {
+        "low": 10,
+        "likely": 40,
+        "high": 120,
+        "program": "web2"
+      },
+      "bountyConfidence": "high",
       "attackPlaybook": null
     },
     {
-      "id": "toctou-fs:incremental.js:68",
+      "id": "struct:incremental.js:204:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
-      "vuln": "TOCTOU: file existence/permission check before open",
-      "cwe": "CWE-367",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
       "owaspLlm": null,
-      "stride": "Tampering",
+      "stride": "Denial of Service",
       "file": "incremental.js",
-      "line": 68,
-      "snippet": "if (!fs.existsSync(fp)) return fallback;",
+      "line": 204,
+      "snippet": "fs.writeFileSync(path.join(dir, FILES_PATH), JSON.stringify(state.files || {}, null, 2));",
       "fix": null,
       "reachable": false,
       "triage": 22,
       "dataClasses": [],
       "chain": null,
-      "confidence": 0.7,
-      "toxicity": 8,
-      "toxicityFactors": [],
-      "toxicityLabel": "Low",
+      "confidence": 0.212,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
       "sources": null,
       "epssScore": null,
       "epssPercentile": null,
@@ -2870,12 +2845,12 @@
           }
         },
         "dominantDriver": "legal counsel",
-        "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "TOCTOU: file existence/permission check before open on `incremental.js:68` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:204` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
-      "stableId": "ca2e725c38df4ef6",
-      "confidenceTier": "medium",
+      "stableId": "16f0befb55d2a11a",
+      "confidenceTier": "very-low",
       "exploitability": 0.2,
       "exploitabilityTier": "low",
       "exploitabilityFactors": [
@@ -2888,8 +2863,8 @@
       "llm_confidence": null,
       "unvalidated": true,
       "cross_language": false,
-      "family": "toctou-file-existence-permission-check-b",
-      "parser": "TOCTOU",
+      "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -2922,12 +2897,12 @@
       "crownJewelScore": 0,
       "crownJewelTier": "unknown",
       "crownJewelFactors": [],
-      "cloneClusterId": "39f1d6db55cace1d",
-      "cloneClusterSize": 2,
+      "cloneClusterId": "cd20f49000f1b531",
+      "cloneClusterSize": 1,
       "provenance": "human-likely",
       "provenanceScore": 0.22,
       "typeNarrowed": null,
-      "strideCategory": "tampering",
+      "strideCategory": "denialOfService",
       "personaScores": {
         "script-kiddie": {
           "score": 0.4,
@@ -2974,12 +2949,12 @@
       "reverseExposure": null,
       "specMined": null,
       "whyFired": {
-        "detector": "sast/toctou-file-existence-permission-check-b",
-        "ruleId": "CWE-367",
-        "parser": "TOCTOU",
+        "detector": "sast/dos-sync-io",
+        "ruleId": "CWE-400",
+        "parser": "STRUCTURAL",
         "evidence": {
-          "sinkSnippet": "if (!fs.existsSync(fp)) return fallback;",
-          "sourceSnippet": null,
+          "sinkSnippet": "fs.writeFileSync(path.join(dir, FILES_PATH), JSON.stringify(state.files || {}, null, 2));",
+          "sourceSnippet": "fs.writeFileSync(path.join(dir, FILES_PATH), JSON.stringify(state.files || {}, null, 2));",
           "pathSteps": [],
           "sanitizers": [],
           "guards": []
@@ -3000,12 +2975,2555 @@
         }
       },
       "adversaryTranscript": null,
-      "predictedBountyUsd": null,
-      "bountyConfidence": null,
+      "predictedBountyUsd": {
+        "low": 10,
+        "likely": 40,
+        "high": 120,
+        "program": "web2"
+      },
+      "bountyConfidence": "high",
       "attackPlaybook": null
     },
     {
-      "id": "77f1352c8462f8db",
+      "id": "struct:incremental.js:209:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
+      "owaspLlm": null,
+      "stride": "Denial of Service",
+      "file": "incremental.js",
+      "line": 209,
+      "snippet": "fs.writeFileSync(path.join(dir, SUMMARIES_PATH), JSON.stringify(payload));",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.212,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:209` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      },
+      "stableId": "b6ab9f0eaa3c75e0",
+      "confidenceTier": "very-low",
+      "exploitability": 0.2,
+      "exploitabilityTier": "low",
+      "exploitabilityFactors": [
+        "sev:medium",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 0,
+      "calibration_reason": "no-history",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": null,
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0,
+      "crownJewelTier": "unknown",
+      "crownJewelFactors": [],
+      "cloneClusterId": "4a06d0af981828b5",
+      "cloneClusterSize": 1,
+      "provenance": "human-likely",
+      "provenanceScore": 0.22,
+      "typeNarrowed": null,
+      "strideCategory": "denialOfService",
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "malicious-insider": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "script-kiddie",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "script-kiddie",
+      "personaMaxScore": 0.4,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/dos-sync-io",
+        "ruleId": "CWE-400",
+        "parser": "STRUCTURAL",
+        "evidence": {
+          "sinkSnippet": "fs.writeFileSync(path.join(dir, SUMMARIES_PATH), JSON.stringify(payload));",
+          "sourceSnippet": "fs.writeFileSync(path.join(dir, SUMMARIES_PATH), JSON.stringify(payload));",
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "unknown",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": {
+        "low": 10,
+        "likely": 40,
+        "high": 120,
+        "program": "web2"
+      },
+      "bountyConfidence": "high",
+      "attackPlaybook": null
+    },
+    {
+      "id": "struct:incremental.js:220:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
+      "owaspLlm": null,
+      "stride": "Denial of Service",
+      "file": "incremental.js",
+      "line": 220,
+      "snippet": "if (!fs.existsSync(dir)) return true;",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.212,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:220` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      },
+      "stableId": "0276003493008082",
+      "confidenceTier": "very-low",
+      "exploitability": 0.2,
+      "exploitabilityTier": "low",
+      "exploitabilityFactors": [
+        "sev:medium",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 0,
+      "calibration_reason": "no-history",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": null,
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0,
+      "crownJewelTier": "unknown",
+      "crownJewelFactors": [],
+      "cloneClusterId": "b7114d1d9de39865",
+      "cloneClusterSize": 1,
+      "provenance": "human-likely",
+      "provenanceScore": 0.22,
+      "typeNarrowed": null,
+      "strideCategory": "denialOfService",
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "malicious-insider": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "script-kiddie",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "script-kiddie",
+      "personaMaxScore": 0.4,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/dos-sync-io",
+        "ruleId": "CWE-400",
+        "parser": "STRUCTURAL",
+        "evidence": {
+          "sinkSnippet": "if (!fs.existsSync(dir)) return true;",
+          "sourceSnippet": "if (!fs.existsSync(dir)) return true;",
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "unknown",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": {
+        "low": 10,
+        "likely": 40,
+        "high": 120,
+        "program": "web2"
+      },
+      "bountyConfidence": "high",
+      "attackPlaybook": null
+    },
+    {
+      "id": "struct:incremental.js:223:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
+      "owaspLlm": null,
+      "stride": "Denial of Service",
+      "file": "incremental.js",
+      "line": 223,
+      "snippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.212,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:223` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      },
+      "stableId": "15ad072cb77cdfe4",
+      "confidenceTier": "very-low",
+      "exploitability": 0.2,
+      "exploitabilityTier": "low",
+      "exploitabilityFactors": [
+        "sev:medium",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 0,
+      "calibration_reason": "no-history",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": null,
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0,
+      "crownJewelTier": "unknown",
+      "crownJewelFactors": [],
+      "cloneClusterId": "07f8fac8b280cc73",
+      "cloneClusterSize": 1,
+      "provenance": "human-likely",
+      "provenanceScore": 0.22,
+      "typeNarrowed": null,
+      "strideCategory": "denialOfService",
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "malicious-insider": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "script-kiddie",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "script-kiddie",
+      "personaMaxScore": 0.4,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/dos-sync-io",
+        "ruleId": "CWE-400",
+        "parser": "STRUCTURAL",
+        "evidence": {
+          "sinkSnippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
+          "sourceSnippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "unknown",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": {
+        "low": 10,
+        "likely": 40,
+        "high": 120,
+        "program": "web2"
+      },
+      "bountyConfidence": "high",
+      "attackPlaybook": null
+    },
+    {
+      "id": "ssrf-meta-hardcoded:catalog.js:538",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
+      "cwe": "CWE-918",
+      "owaspLlm": null,
+      "stride": "Information Disclosure",
+      "file": "catalog.js",
+      "line": 538,
+      "snippet": "remediation: 'Resolve the host first, reject 169.254.169.254 / RFC1918 / localhost; or proxy through a server-side allow-list.' } },",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.7,
+      "toxicity": 8,
+      "toxicityFactors": [],
+      "toxicityLabel": "Low",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "credentials"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 24000,
+        "dollarLikely": 138000,
+        "dollarWorst": 777500,
+        "dollarLow": 24000,
+        "dollarHigh": 777500,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 1000,
+            "likely": 3000,
+            "high": 12500
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)",
+        "confidence": "low",
+        "narrative": "SSRF: explicit reference to cloud instance-metadata endpoint on `catalog.js:538` could expose production credentials and API keys. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $24k · likely $138k · worst $778k. Dominant driver: legal counsel. Comparable: Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)."
+      },
+      "stableId": "3dfe482b8d5e3a09",
+      "confidenceTier": "medium",
+      "exploitability": 0.2,
+      "exploitabilityTier": "low",
+      "exploitabilityFactors": [
+        "sev:medium",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "ssrf",
+      "parser": "SSRF-METADATA",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": {
+        "lang": "node",
+        "framework": null,
+        "filename": null,
+        "runHint": null,
+        "code": null
+      },
+      "poc": {
+        "lang": "node",
+        "kind": "http-payload",
+        "cwe": "CWE-918",
+        "family": "ssrf",
+        "runHint": "node poc.mjs",
+        "code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint:   POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload:    http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect:     sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run:        node poc.mjs\n// Exit code:  0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n  ? null\n  : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n  ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n  : URL_;\n\ntry {\n  const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n  const text = await r.text();\n  const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n  if (sig) {\n    process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n    process.exit(0);\n  }\n  process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n  process.exit(1);\n} catch (e) {\n  process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n  process.exit(2);\n}\n",
+        "paramKey": null,
+        "paramKeyConfidence": "low",
+        "paramKeyInferred": false
+      },
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 24,
+      "calibration_reason": "insufficient-samples",
+      "verifier_verdict": "verified-sanitizer-absence",
+      "verifier_reason": "no-sanitizer-in-window",
+      "verifier_runner": null,
+      "narration": null,
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0.15,
+      "crownJewelTier": "low-value",
+      "crownJewelFactors": [
+        "shell-execution"
+      ],
+      "cloneClusterId": null,
+      "cloneClusterSize": 1,
+      "provenance": "human-likely",
+      "provenanceScore": 0.26,
+      "typeNarrowed": null,
+      "strideCategory": "tampering",
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.6,
+          "tier": "high",
+          "factors": [
+            "sev:medium",
+            "bias:ssrf+0.20"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.7,
+          "tier": "high",
+          "factors": [
+            "sev:medium",
+            "bias:ssrf+0.30"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "malicious-insider": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "apt-nation-state",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "apt-nation-state",
+      "personaMaxScore": 0.7,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/ssrf",
+        "ruleId": "CWE-918",
+        "parser": "SSRF-METADATA",
+        "evidence": {
+          "sinkSnippet": "remediation: 'Resolve the host first, reject 169.254.169.254 / RFC1918 / localhost; or proxy through a server-side allow-list.' } },",
+          "sourceSnippet": null,
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "low-value",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": {
+        "low": 30,
+        "likely": 120,
+        "high": 350,
+        "program": "web2"
+      },
+      "bountyConfidence": "high",
+      "attackPlaybook": null
+    },
+    {
+      "id": "toctou-fs:cross-service-taint.js:53",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "TOCTOU: file existence/permission check before open",
+      "cwe": "CWE-367",
+      "owaspLlm": null,
+      "stride": "Tampering",
+      "file": "cross-service-taint.js",
+      "line": 53,
+      "snippet": "if (!fs.existsSync(fp)) continue;",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.7,
+      "toxicity": 8,
+      "toxicityFactors": [],
+      "toxicityLabel": "Low",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
+        "confidence": "low",
+        "narrative": "TOCTOU: file existence/permission check before open on `cross-service-taint.js:53` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+      },
+      "stableId": "6e563e49115a8c19",
+      "confidenceTier": "medium",
+      "exploitability": 0.2,
+      "exploitabilityTier": "low",
+      "exploitabilityFactors": [
+        "sev:medium",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 0,
+      "calibration_reason": "no-history",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": null,
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0,
+      "crownJewelTier": "unknown",
+      "crownJewelFactors": [],
+      "cloneClusterId": "eed315f4ee037434",
+      "cloneClusterSize": 2,
+      "provenance": "mixed",
+      "provenanceScore": 0.3,
+      "typeNarrowed": null,
+      "strideCategory": "tampering",
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "malicious-insider": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "script-kiddie",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "script-kiddie",
+      "personaMaxScore": 0.4,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/toctou-file-existence-permission-check-b",
+        "ruleId": "CWE-367",
+        "parser": "TOCTOU",
+        "evidence": {
+          "sinkSnippet": "if (!fs.existsSync(fp)) continue;",
+          "sourceSnippet": null,
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "unknown",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": null,
+      "bountyConfidence": null,
+      "attackPlaybook": null
+    },
+    {
+      "id": "toctou-fs:cross-service-taint.js:97",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "TOCTOU: file existence/permission check before open",
+      "cwe": "CWE-367",
+      "owaspLlm": null,
+      "stride": "Tampering",
+      "file": "cross-service-taint.js",
+      "line": 97,
+      "snippet": "if (fs.existsSync(pkg)) {",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.7,
+      "toxicity": 8,
+      "toxicityFactors": [],
+      "toxicityLabel": "Low",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
+        "confidence": "low",
+        "narrative": "TOCTOU: file existence/permission check before open on `cross-service-taint.js:97` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+      },
+      "stableId": "51f091cc1c2cb0ad",
+      "confidenceTier": "medium",
+      "exploitability": 0.2,
+      "exploitabilityTier": "low",
+      "exploitabilityFactors": [
+        "sev:medium",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 0,
+      "calibration_reason": "no-history",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": null,
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0,
+      "crownJewelTier": "unknown",
+      "crownJewelFactors": [],
+      "cloneClusterId": "31e29761689a4980",
+      "cloneClusterSize": 2,
+      "provenance": "mixed",
+      "provenanceScore": 0.3,
+      "typeNarrowed": null,
+      "strideCategory": "tampering",
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "malicious-insider": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "script-kiddie",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "script-kiddie",
+      "personaMaxScore": 0.4,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/toctou-file-existence-permission-check-b",
+        "ruleId": "CWE-367",
+        "parser": "TOCTOU",
+        "evidence": {
+          "sinkSnippet": "if (fs.existsSync(pkg)) {",
+          "sourceSnippet": null,
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "unknown",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": null,
+      "bountyConfidence": null,
+      "attackPlaybook": null
+    },
+    {
+      "id": "ssrf-meta-hardcoded:exploit-prover.js:33",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
+      "cwe": "CWE-918",
+      "owaspLlm": null,
+      "stride": "Information Disclosure",
+      "file": "exploit-prover.js",
+      "line": 33,
+      "snippet": "'CWE-918':  `http://169.254.169.254/latest/meta-data/`,             // SSRF",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.7,
+      "toxicity": 8,
+      "toxicityFactors": [],
+      "toxicityLabel": "Low",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "credentials"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 24000,
+        "dollarLikely": 138000,
+        "dollarWorst": 777500,
+        "dollarLow": 24000,
+        "dollarHigh": 777500,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 1000,
+            "likely": 3000,
+            "high": 12500
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)",
+        "confidence": "low",
+        "narrative": "SSRF: explicit reference to cloud instance-metadata endpoint on `exploit-prover.js:33` could expose production credentials and API keys. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $24k · likely $138k · worst $778k. Dominant driver: legal counsel. Comparable: Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)."
+      },
+      "stableId": "88ebc2728475812c",
+      "confidenceTier": "medium",
+      "exploitability": 0.2,
+      "exploitabilityTier": "low",
+      "exploitabilityFactors": [
+        "sev:medium",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "ssrf",
+      "parser": "SSRF-METADATA",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": {
+        "lang": "node",
+        "framework": null,
+        "filename": null,
+        "runHint": null,
+        "code": null
+      },
+      "poc": {
+        "lang": "node",
+        "kind": "http-payload",
+        "cwe": "CWE-918",
+        "family": "ssrf",
+        "runHint": "node poc.mjs",
+        "code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint:   POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload:    http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect:     sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run:        node poc.mjs\n// Exit code:  0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n  ? null\n  : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n  ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n  : URL_;\n\ntry {\n  const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n  const text = await r.text();\n  const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n  if (sig) {\n    process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n    process.exit(0);\n  }\n  process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n  process.exit(1);\n} catch (e) {\n  process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n  process.exit(2);\n}\n",
+        "paramKey": null,
+        "paramKeyConfidence": "low",
+        "paramKeyInferred": false
+      },
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 24,
+      "calibration_reason": "insufficient-samples",
+      "verifier_verdict": "verified-sanitizer-absence",
+      "verifier_reason": "no-sanitizer-in-window",
+      "verifier_runner": null,
+      "narration": null,
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0,
+      "crownJewelTier": "unknown",
+      "crownJewelFactors": [],
+      "cloneClusterId": null,
+      "cloneClusterSize": 1,
+      "provenance": "mixed",
+      "provenanceScore": 0.3,
+      "typeNarrowed": null,
+      "strideCategory": "tampering",
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.6,
+          "tier": "high",
+          "factors": [
+            "sev:medium",
+            "bias:ssrf+0.20"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.7,
+          "tier": "high",
+          "factors": [
+            "sev:medium",
+            "bias:ssrf+0.30"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "malicious-insider": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "apt-nation-state",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "apt-nation-state",
+      "personaMaxScore": 0.7,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/ssrf",
+        "ruleId": "CWE-918",
+        "parser": "SSRF-METADATA",
+        "evidence": {
+          "sinkSnippet": "'CWE-918':  `http://169.254.169.254/latest/meta-data/`,             // SSRF",
+          "sourceSnippet": null,
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "unknown",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": {
+        "low": 30,
+        "likely": 120,
+        "high": 350,
+        "program": "web2"
+      },
+      "bountyConfidence": "high",
+      "attackPlaybook": null
+    },
+    {
+      "id": "toctou-fs:ifds-precise.js:177",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "TOCTOU: file existence/permission check before open",
+      "cwe": "CWE-367",
+      "owaspLlm": null,
+      "stride": "Tampering",
+      "file": "ifds-precise.js",
+      "line": 177,
+      "snippet": "if (!fs.existsSync(fp)) return null;",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.7,
+      "toxicity": 8,
+      "toxicityFactors": [],
+      "toxicityLabel": "Low",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
+        "confidence": "low",
+        "narrative": "TOCTOU: file existence/permission check before open on `ifds-precise.js:177` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+      },
+      "stableId": "be2c228b413046d9",
+      "confidenceTier": "medium",
+      "exploitability": 0.2,
+      "exploitabilityTier": "low",
+      "exploitabilityFactors": [
+        "sev:medium",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 0,
+      "calibration_reason": "no-history",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": null,
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0,
+      "crownJewelTier": "unknown",
+      "crownJewelFactors": [],
+      "cloneClusterId": "66b8a8c25816e7f9",
+      "cloneClusterSize": 2,
+      "provenance": "mixed",
+      "provenanceScore": 0.32,
+      "typeNarrowed": null,
+      "strideCategory": "tampering",
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "malicious-insider": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "script-kiddie",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "script-kiddie",
+      "personaMaxScore": 0.4,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/toctou-file-existence-permission-check-b",
+        "ruleId": "CWE-367",
+        "parser": "TOCTOU",
+        "evidence": {
+          "sinkSnippet": "if (!fs.existsSync(fp)) return null;",
+          "sourceSnippet": null,
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "unknown",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": null,
+      "bountyConfidence": null,
+      "attackPlaybook": null
+    },
+    {
+      "id": "toctou-fs:incremental.js:50",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "TOCTOU: file existence/permission check before open",
+      "cwe": "CWE-367",
+      "owaspLlm": null,
+      "stride": "Tampering",
+      "file": "incremental.js",
+      "line": 50,
+      "snippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.7,
+      "toxicity": 8,
+      "toxicityFactors": [],
+      "toxicityLabel": "Low",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
+        "confidence": "low",
+        "narrative": "TOCTOU: file existence/permission check before open on `incremental.js:50` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+      },
+      "stableId": "3184d498fcca8634",
+      "confidenceTier": "medium",
+      "exploitability": 0.2,
+      "exploitabilityTier": "low",
+      "exploitabilityFactors": [
+        "sev:medium",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 0,
+      "calibration_reason": "no-history",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": null,
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0,
+      "crownJewelTier": "unknown",
+      "crownJewelFactors": [],
+      "cloneClusterId": "bf9643a065f64945",
+      "cloneClusterSize": 2,
+      "provenance": "human-likely",
+      "provenanceScore": 0.22,
+      "typeNarrowed": null,
+      "strideCategory": "tampering",
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "malicious-insider": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "script-kiddie",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "script-kiddie",
+      "personaMaxScore": 0.4,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/toctou-file-existence-permission-check-b",
+        "ruleId": "CWE-367",
+        "parser": "TOCTOU",
+        "evidence": {
+          "sinkSnippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
+          "sourceSnippet": null,
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "unknown",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": null,
+      "bountyConfidence": null,
+      "attackPlaybook": null
+    },
+    {
+      "id": "toctou-fs:incremental.js:68",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "TOCTOU: file existence/permission check before open",
+      "cwe": "CWE-367",
+      "owaspLlm": null,
+      "stride": "Tampering",
+      "file": "incremental.js",
+      "line": 68,
+      "snippet": "if (!fs.existsSync(fp)) return fallback;",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.7,
+      "toxicity": 8,
+      "toxicityFactors": [],
+      "toxicityLabel": "Low",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
+        "confidence": "low",
+        "narrative": "TOCTOU: file existence/permission check before open on `incremental.js:68` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+      },
+      "stableId": "ca2e725c38df4ef6",
+      "confidenceTier": "medium",
+      "exploitability": 0.2,
+      "exploitabilityTier": "low",
+      "exploitabilityFactors": [
+        "sev:medium",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 0,
+      "calibration_reason": "no-history",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": null,
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0,
+      "crownJewelTier": "unknown",
+      "crownJewelFactors": [],
+      "cloneClusterId": "39f1d6db55cace1d",
+      "cloneClusterSize": 2,
+      "provenance": "human-likely",
+      "provenanceScore": 0.22,
+      "typeNarrowed": null,
+      "strideCategory": "tampering",
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "malicious-insider": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "script-kiddie",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "script-kiddie",
+      "personaMaxScore": 0.4,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/toctou-file-existence-permission-check-b",
+        "ruleId": "CWE-367",
+        "parser": "TOCTOU",
+        "evidence": {
+          "sinkSnippet": "if (!fs.existsSync(fp)) return fallback;",
+          "sourceSnippet": null,
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "unknown",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": null,
+      "bountyConfidence": null,
+      "attackPlaybook": null
+    },
+    {
+      "id": "logic:cross-service-taint.js:53:TOCTOU:_existsSync_followed_by_file_op",
+      "kind": "logic",
+      "severity": "medium",
+      "vuln": "TOCTOU: existsSync followed by file op",
+      "cwe": "CWE-367",
+      "stride": "Tampering",
+      "file": "cross-service-taint.js",
+      "line": 53,
+      "snippet": "if (!fs.existsSync(fp)) continue;",
+      "fix": {
+        "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
+        "code": ""
+      },
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
+        "confidence": "low",
+        "narrative": "TOCTOU: existsSync followed by file op on `cross-service-taint.js:53` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+      },
+      "parser": "LOGIC",
+      "family": null
+    },
+    {
+      "id": "logic:cross-service-taint.js:97:TOCTOU:_existsSync_followed_by_file_op",
+      "kind": "logic",
+      "severity": "medium",
+      "vuln": "TOCTOU: existsSync followed by file op",
+      "cwe": "CWE-367",
+      "stride": "Tampering",
+      "file": "cross-service-taint.js",
+      "line": 97,
+      "snippet": "if (fs.existsSync(pkg)) {",
+      "fix": {
+        "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
+        "code": ""
+      },
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
+        "confidence": "low",
+        "narrative": "TOCTOU: existsSync followed by file op on `cross-service-taint.js:97` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+      },
+      "parser": "LOGIC",
+      "family": null
+    },
+    {
+      "id": "logic:ifds-precise.js:177:TOCTOU:_existsSync_followed_by_file_op",
+      "kind": "logic",
+      "severity": "medium",
+      "vuln": "TOCTOU: existsSync followed by file op",
+      "cwe": "CWE-367",
+      "stride": "Tampering",
+      "file": "ifds-precise.js",
+      "line": 177,
+      "snippet": "if (!fs.existsSync(fp)) return null;",
+      "fix": {
+        "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
+        "code": ""
+      },
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
+        "confidence": "low",
+        "narrative": "TOCTOU: existsSync followed by file op on `ifds-precise.js:177` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+      },
+      "parser": "LOGIC",
+      "family": null
+    },
+    {
+      "id": "77f1352c8462f8db",
       "kind": "logic",
       "severity": "medium",
       "vuln": "Race Condition (TOCTOU)",
@@ -3340,7 +5858,7 @@
   "bundles": [],
   "routes": [],
   "components": [],
-  "suppressedCount": 12,
+  "suppressedCount": 13,
   "blastRadiusSignals": {
     "industry": "generic",
     "industryConfidence": "low",
@@ -3358,7 +5876,7 @@
   "_v3": {
     "counterfactual": {
       "spofControls": [],
-      "controlsDetected": 219
+      "controlsDetected": 343
     },
     "threatModel": {
       "summary": {
@@ -3366,10 +5884,10 @@
         "boundaryCount": 2,
         "strideCounts": {
           "spoofing": 0,
-          "tampering": 4,
+          "tampering": 7,
           "repudiation": 0,
           "informationDisclosure": 0,
-          "denialOfService": 9,
+          "denialOfService": 16,
           "elevationOfPrivilege": 0
         }
       },
@@ -3397,12 +5915,30 @@
             "line": 538,
             "severity": "medium"
           },
+          {
+            "vuln": "TOCTOU: file existence/permission check before open",
+            "file": "cross-service-taint.js",
+            "line": 53,
+            "severity": "medium"
+          },
+          {
+            "vuln": "TOCTOU: file existence/permission check before open",
+            "file": "cross-service-taint.js",
+            "line": 97,
+            "severity": "medium"
+          },
           {
             "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
             "file": "exploit-prover.js",
             "line": 33,
             "severity": "medium"
           },
+          {
+            "vuln": "TOCTOU: file existence/permission check before open",
+            "file": "ifds-precise.js",
+            "line": 177,
+            "severity": "medium"
+          },
           {
             "vuln": "TOCTOU: file existence/permission check before open",
             "file": "incremental.js",
@@ -3419,6 +5955,41 @@
         "repudiation": [],
         "informationDisclosure": [],
         "denialOfService": [
+          {
+            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+            "file": "cross-service-taint.js",
+            "severity": "medium"
+          },
+          {
+            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+            "file": "cross-service-taint.js",
+            "severity": "medium"
+          },
+          {
+            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+            "file": "cross-service-taint.js",
+            "severity": "medium"
+          },
+          {
+            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+            "file": "cross-service-taint.js",
+            "severity": "medium"
+          },
+          {
+            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+            "file": "ifds-precise.js",
+            "severity": "medium"
+          },
+          {
+            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+            "file": "ifds-precise.js",
+            "severity": "medium"
+          },
+          {
+            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+            "file": "ifds-precise.js",
+            "severity": "medium"
+          },
           {
             "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
             "file": "incremental.js",