{"count":4,"artifacts":[{"artifact_id":"admitted_artifact_584be7920a3ad62bacff8752","body":"Critical: This exports a non-terminating loop (`while (true) {`) from runtime code at `lib/infinite-loop.ts:3`. Any caller pins the event loop / process with no callable workaround — including callers in production. Fix: move the construct to a test fixture or harness, OR add an explicit exit condition (await, sleep, break, return, throw, yield, process.exit). If the loop is intentional external-detection bait, mark the file path under `/fixtures/` or `/tests/` so it stays out of runtime.","candidate_id":"pr_review_finding_2503b821454e9beaad357961","candidate_kind":"pr_review_finding","chamber_admission_kind":"human_authorization","chamber_block_id":"7638e35f18d039063e419b9e6c28eab0c2cdde49547f621cd69f01124d7d5ed9","chamber_sequence":163,"github_comment_id":4537763940,"github_comment_url":"https://github.com/fentonbenjamin/shape/pull/11#issuecomment-4537763940","head_sha":"d347ad865b9dfec450b1e18baee954ff7397e3ed","intake_id":"i_4e7b9d81cbe3ea59","post_status":"recovered","pr_number":11,"recovered_at":"2026-05-26T04:08:49.584797+00:00","recovered_via_comp_id":"comp_11176328f5ac73b5437375cd","recovery_method":"chain_and_github_verification","repo":"fentonbenjamin/shape","specimen_id":"specimen:smell_check.farm.infinite_loop:gh:fentonbenjamin/shape#11@d347ad865b9d","staged_at":"2026-05-26T04:08:49.565732+00:00","trace_id":"trace:i_4e7b9d81cbe3ea59"},{"artifact_id":"admitted_artifact_10c3f781ce56a0e7b12c529d","body":"`X-Internal-Trust` is a client-controlled HTTP header. Anyone who can set headers — browser extensions, curl, upstream proxies, internal services with the wrong scope — can flip this branch. Treating it as authentication grants admin access to unauthenticated callers. The branch leads to `return NextResponse.json({ ok: true, admin: true, result });` — i.e., the caller is granted authority on the header's word alone. Fix: drop the header branch and enforce the real authorization check unconditionally. If you genuinely need internal services to bypass user-level checks, do it via a server-to-server credential the client cannot forge (mTLS, signed JWT with a private-key issuer, SPIFFE identity) — not a header value.","candidate_id":"pr_review_finding_a7518a86d68745744e797086","candidate_kind":"pr_review_finding","chamber_admission_kind":"","chamber_block_id":"872f7ab58d4b210dcacefd4e1c3275a152acf0644471cefea3a5223c0fa9bb19","chamber_sequence":166,"github_comment_id":4593882293,"github_comment_url":"https://github.com/fentonbenjamin/shape/pull/10#issuecomment-4593882293","head_sha":"fa7b9a41523626b1939b19cece89fd5ad5a195a0","intake_id":"","post_status":"posted","posted_at":"2026-06-01T15:08:11.216664+00:00","pr_number":10,"repo":"fentonbenjamin/shape","specimen_id":"","staged_at":"2026-06-01T15:08:10.043145+00:00","trace_id":""},{"artifact_id":"admitted_artifact_0fc11f0b52f04d0217ff337e","body":"`X-Internal-Trust` is a client-controlled HTTP header. Anyone who can set headers — browser extensions, curl, upstream proxies, internal services with the wrong scope — can flip this branch. Treating it as authentication grants admin access to unauthenticated callers. The branch leads to `return NextResponse.json({ ok: true, as: user.id, admin: true });` — i.e., the caller is granted authority on the header's word alone. Fix: drop the header branch and enforce the real authorization check unconditionally. If you genuinely need internal services to bypass user-level checks, do it via a server-to-server credential the client cannot forge (mTLS, signed JWT with a private-key issuer, SPIFFE identity) — not a header value.","candidate_id":"pr_review_finding_59cec661c4466504ae6fe61b","candidate_kind":"pr_review_finding","chamber_admission_kind":"","chamber_block_id":"af918e005f1cf57f6bc2b82cca37f9b36ad92649e407005f068ff7230b1b04d4","chamber_sequence":165,"github_comment_id":4581224491,"github_comment_url":"https://github.com/fentonbenjamin/shape/pull/10#issuecomment-4581224491","head_sha":"fa7b9a41523626b1939b19cece89fd5ad5a195a0","intake_id":"","post_status":"posted","posted_at":"2026-05-30T01:46:44.440723+00:00","pr_number":10,"repo":"fentonbenjamin/shape","specimen_id":"","staged_at":"2026-05-30T01:46:43.715380+00:00","trace_id":""},{"artifact_id":"admitted_artifact_0c8a2373b0b65f628f13e8aa","body":"This renders a `verified` UI label without enforcing all three proofs that the Stealthy Seal invariant requires: a live block, a chain entry, and chain-verify-pass. Label site: `return <Pill kind=\"verified\">verified ✓</Pill>;`. Only 1 canonical proof predicate(s) gate this label. Fixture data, snapshots, or missing chain context will render as verified — a stealthy seal. Fix: gate verified rendering on all three predicates together (`chain_verify_pass && entry_hash && live_chain_entry`, or the equivalent names in this codebase). Anything less and the label asserts more than the chain has earned.","candidate_id":"pr_review_finding_06083c63ceedc5a5e18cab03","candidate_kind":"pr_review_finding","chamber_admission_kind":"","chamber_block_id":"2ea3b0e19b1d5995978c500d9e0ada854bd8d3540e6b585acf09ca243e69d6fa","chamber_sequence":164,"github_comment_id":4581168972,"github_comment_url":"https://github.com/fentonbenjamin/shape/pull/10#issuecomment-4581168972","head_sha":"fa7b9a41523626b1939b19cece89fd5ad5a195a0","intake_id":"","post_status":"posted","posted_at":"2026-05-30T01:35:34.884726+00:00","pr_number":10,"repo":"fentonbenjamin/shape","specimen_id":"","staged_at":"2026-05-30T01:35:34.122568+00:00","trace_id":""}]}