host-uk · Snider · Feb 2, 2026 · Feb 2, 2026 · Feb 2, 2026 · Feb 2, 2026
diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml
@@ -181,13 +181,13 @@ jobs:
         id: psalm
         run: |
           set +e
-          vendor/bin/psalm --output-format=json --show-info=false > psalm.json 2>&1
+          vendor/bin/psalm --output-format=github --show-info=false > psalm.txt
           EXIT_CODE=$?
 
           # Generate SARIF for GitHub Security
-          vendor/bin/psalm --output-format=sarif --show-info=false > psalm.sarif 2>&1 || true
+          vendor/bin/psalm --output-format=sarif --show-info=false > psalm.sarif || true
 
-          ERRORS=$(jq 'length' psalm.json 2>/dev/null || echo "0")
+          ERRORS=$(wc -l < psalm.txt)
           echo "errors=${ERRORS}" >> $GITHUB_OUTPUT
 
           if [ $EXIT_CODE -eq 0 ]; then

diff --git a/AUDIT-OWASP.md b/AUDIT-OWASP.md
@@ -0,0 +1,37 @@
+# OWASP Top 10 Security Audit
+
+## Summary
+1 critical, 1 high, 2 medium findings
+
+## Findings by Category
+
+### A01: Broken Access Control
+- **Medium:** The `bypass_patterns` in the Bouncer configuration (`config/core.php`) are overly permissive. Specifically, `'password/*'` and `'livewire/*'` could allow unauthorized access to sensitive functionality. It is recommended to review and tighten these patterns to be as specific as possible.
+
+### A02: Cryptographic Failures
+- **Critical:** A hardcoded API token was found in `src/Mod/Trees/Tests/Unit/AgentDetectionTest.php`. While this is a test file, it still poses a significant security risk. It is recommended to remove the token from the codebase and use a secure method for managing secrets, such as environment variables or a secret management system.
+- **High:** A direct call to the `env()` helper was found in `src/Core/Bouncer/BouncerMiddleware.php`. Using `env()` outside of configuration files can lead to inconsistent application behavior when the configuration is cached. It is recommended to move this to a configuration file.
+
+### A03: Injection
+- No findings.
+
+### A04: Insecure Design
+- No findings.
+
+### A05: Security Misconfiguration
+- No findings.
+
+### A06: Vulnerable Components
+- No findings.
+
+### A07: Auth Failures
+- No findings.
+
+### A08: Data Integrity Failures
+- No findings.
+
+### A09: Logging Failures
+- **Medium:** The application does not appear to be storing logs in a conventional or discoverable location. No log files or directories were found within the project. It is recommended to implement a robust logging solution and ensure that logs are stored in a secure and accessible location.
+
+### A10: SSRF
+- **High:** A potential SSRF vulnerability was found in `src/Core/Helpers/File.php`. The `Http::get()` method is used to fetch a URL without any validation. This could allow an attacker to make requests to internal services or other arbitrary URLs. It is recommended to implement a whitelist of allowed domains or to otherwise validate the URL before making the request.