Facility Active
Black Site
We don’t just find bugs. We rendition them. Every defect in this codebase gets a hash, a severity, and a cell. They don’t leave until we’ve extracted everything they know and eliminated them from the system.
We proudly use enhanced interrogation tactics.
Strike Teams Deployed
| Designation | Codename | Mission |
|---|---|---|
| T001 | SquirrelScan | Automated full-spectrum technical audit — SEO, security, accessibility, performance |
| T002 | Ghost Protocol | Interactive UX hunt — Engineer’s Report flows, every click, every pixel |
| T003 | Perimeter Sweep | Interactive UX hunt — navigation, homepage, secondary pages, mobile |
| T004 | Design Forensics | CSS architecture autopsy — glass, hover, tokens, specificity, print |
| T005 | The Architect | Strategic holistic assessment — would this survive a UX conference stage? |
Severity Classification
| S0 | Red Notice. Internal regression. Something we fixed turned against us — a mole in the codebase. When a rendered finding resurfaces or a fix introduces a new defect, it gets a Red Notice. These are treated as betrayals, not bugs. |
| S1 | Critical Path. High-impact, actively causing damage. Users are hitting this right now. No workaround exists. |
| S2 | Major. Documented weakness being exploited. We know the damage. We haven’t patched it yet. |
| S3 | Contained. Design debt with a known attack surface. Not actively exploited but attackable. Track and remediate. |
| S4 | Minor. Indicator that something isn’t right. Left unaddressed, it metastasizes. |
Census
S1 — Critical Path Threats
These findings orchestrated the whole operation against our codebase. They don’t just cause one problem — they corrupt trust in the entire system.
S1 Rendered defect BSI-2026-0001: Covert Mode Is a Page Navigation, Not a Toggle
On the Engineer's Report, pressing the covert button navigates to /analysis/{id}/view/C (full page load) instead of toggling. User loses scroll position. On non-results pages, the same button does a client-side class toggle.
“Results page requires server-rendered covert template, so navigation is architecturally necessary. Scroll position loss and inconsistent interaction pattern were unaddressed.”
Root cause: activateCovertOrSwitch() uses location.href navigation on analysis pages with no scroll preservation. Fixed by adding sessionStorage save/restore of scrollY.
c2b8bab7
Domain: ux
Evidence: reproduced
Confidence: 95%
Blast: flow
Team: T002
Legacy: BSI-001
S1 Rendered compliance_gap BSI-2026-0006: Compare Select Rows Keyboard Inaccessible
Domain comparison rows use click handlers on bare tr elements. No tabindex, no role, no aria-label. Keyboard-only users cannot reach or activate these rows.
Root cause: Missing keyboard accessibility attributes. Fixed by adding tabindex=0, role=button, aria-label, and Enter/Space keydown handler.
6d30148f
Domain: accessibility
Evidence: reproduced
Confidence: 99%
Blast: page
Team: T003
Legacy: BSI-006
S1 Detained incident BSI-2026-0018b: Sanity Token Exposed in HTML
A Sanity Token exposed in analysis view HTML. Sanity documents tokens as credentials that should generally be considered secret. Browser-exposed tokens are a bad idea.
“Token may be a read-only public dataset token, but exposure should be verified and scoped.”
cdfde606
Domain: security
Evidence: static_analysis
Confidence: 85%
Blast: page
Team: T001
Legacy: BSI-018
S1 Detained weakness BSI-2026-0019: CSP script-src Allows Wildcard
The script-src directive uses *, allowing JavaScript execution from any origin. This effectively disables browser-side XSS defense.
f1ae484a
Domain: security
Evidence: measured
Confidence: 99%
Blast: sitewide
Team: T001
Legacy: BSI-019
S2 — Major Findings
Documented weaknesses actively causing damage. We know the impact. Patches pending.
S2 Rendered design_debt BSI-2026-0002: Glass Treatment Only on Posture Cards
Glassmorphism CSS selectors only match cards with exact class combination card.border-{status}.bg-{status}.bg-opacity-10. Confidence and Currency cards use card.bg-dark and get no glass treatment or hover-lift.
“CSS selectors were written for the first card type and never extended to other card patterns.”
Root cause: Missing .card.bg-dark glass treatment rule. Fixed by adding glassmorphism and hover-lift to .card.bg-dark selector.
47527c9f
Domain: design_system
Evidence: reproduced
Confidence: 90%
Blast: page
Team: T002
Legacy: BSI-002
S2 Rendered compliance_gap BSI-2026-0004: No prefers-reduced-motion in CSS
Users who set Reduce Motion in OS settings still see every CSS transition, transform, and animation. JavaScript handles topology SVG SMIL but CSS transitions are unprotected.
Root cause: Missing @media (prefers-reduced-motion: reduce) block. Fixed by adding universal selector that kills animation-duration and transition-duration.
97da9160
Domain: accessibility
Evidence: reproduced
Confidence: 95%
Blast: sitewide
Team: T004
Legacy: BSI-004
S2 Rendered compliance_gap BSI-2026-0005: Stats Metric Label 2.1:1 Contrast Ratio
.stats-confidence-metric-label uses color #484f58 on #161b22 background. Contrast ratio approximately 2.1:1. WCAG AA requires 4.5:1 for normal text.
Root cause: Hardcoded color too dark. Fixed by changing to #8b949e (5.1:1 contrast ratio).
5cd87687
Domain: accessibility
Evidence: measured
Confidence: 99%
Blast: page
Team: T003
Legacy: BSI-005
S2 Rendered defect BSI-2026-0007: Architecture Page SVG Diagrams 404
Two SVG diagrams (drift-notification-pipeline.svg and github-issues-triage.svg) reported as returning 404 on the architecture page.
“Files may have been missing from static/images/diagrams/ directory.”
Root cause: Files exist and serve HTTP 200. Issue was previously resolved.
1df827ff
Domain: content
Evidence: measured
Confidence: 99%
Blast: page
Team: T001
Legacy: BSI-007
S2 Rendered compliance_gap BSI-2026-0008: Copy Buttons Mouse-Only Visibility
.copy-btn has opacity: 0 by default and only becomes visible on :hover. Keyboard-only users never see the button and cannot focus on an invisible element.
Root cause: Missing keyboard focus reveal. Fixed by adding :focus-within and :focus selectors alongside :hover for opacity:1.
16405d18
Domain: accessibility
Evidence: reproduced
Confidence: 99%
Blast: sitewide
Team: T002
Legacy: BSI-008
S2 Detained defect BSI-2026-0009: Anchor Scroll Handler Hijacks Bootstrap Collapse
A generic smooth-scroll handler on ALL a[href^="#"] links calls e.preventDefault(), blocking Bootstrap collapse triggers that use href="#target" instead of data-bs-target.
“Bootstrap collapse relies on default click behavior which is being intercepted.”
67bba283
Domain: ux
Evidence: reproduced
Confidence: 90%
Blast: flow
Team: T002
Legacy: BSI-009
S2 Detained defect BSI-2026-0015: Mobile Navbar Menu Extends Below Viewport
Navbar collapse dropdown uses position: absolute with no max-height and no overflow-y: auto. With 11+ nav items on shorter mobile screens, menu extends below viewport.
262dc6e6
Domain: ux
Evidence: reproduced
Confidence: 85%
Blast: sitewide
Team: T003
Legacy: BSI-015
S2 Rendered claim_integrity BSI-2026-0003: Golden Ratio Claim Scope Verification
Topology SVG claims golden ratio (320/198 = 1.616 ≈ phi) which is mathematically accurate. CSS type scale uses ad hoc values not derived from phi.
“Claim may have been broader than implementation.”
Root cause: Verified: claim is correctly scoped to topology SVG aria-description only. No system-wide golden ratio claim found in user-facing code.
ab982184
Domain: content
Evidence: measured
Confidence: 95%
Blast: component
Team: T005
Legacy: BSI-003
S2 Detained design_debt BSI-2026-0020: 908 !important Declarations
~908 !important declarations, ~450 in covert mode alone. Architecturally inevitable without CSS @layer. Every future style must also use !important.
“CSS @layer would resolve the specificity arms race. Supported since March 2022.”
350c412d
Domain: design_system
Evidence: measured
Confidence: 95%
Blast: sitewide
Team: T004
Legacy: BSI-020
S3 — Contained Findings
| FP | ID | Kind | Finding | Domain | Status |
|---|---|---|---|---|---|
62e1dacd |
BSI-2026-0010 | defect | white-space-nowrap Class Does Not Exist | ux | Detained |
1a1ae688 |
BSI-2026-0011 | defect | border-accent-gold-muted Class Does Not Exist | design_system | Detained |
25b9b747 |
BSI-2026-0012 | defect | DNS Hosting Column Missing text-truncate | ux | Detained |
2352d693 |
BSI-2026-0013 | defect | Chevron Icons Never Rotate on Collapse | ux | Detained |
37902edd |
BSI-2026-0014 | defect | Tooltips Only Work on Results Pages | ux | Detained |
b788bcb5 |
BSI-2026-0016 | design_debt | Footer Wall of Text at 375px | ux | Detained |
dfd32e27 |
BSI-2026-0017 | defect | Video Category Score F (57/100) | seo | Detained |
4c14b1cd |
BSI-2026-0021 | design_debt | 50+ Hardcoded Hex Colors Outside Token System | design_system | Detained |
730efafc |
BSI-2026-0024 | defect | transition: all Animates Every CSS Property | performance | Detained |
f367cd05 |
BSI-2026-0027 | defect | Covert Mode Missed .u-code-block and .icae-card | design_system | Detained |
c4d5c588 |
BSI-2026-0029 | design_debt | Two Code Block Implementations | design_system | Detained |
ef21255e |
BSI-2026-0030 | defect | 66+ Pages Missing Canonical URLs | seo | Detained |
4218b9fd |
BSI-2026-0032 | defect | External Links Returning 403/404 | content | Detained |
6d6bd116 |
BSI-2026-0033 | defect | 15 Duplicate Page Titles Across 43 Pages | seo | Detained |
c206136f |
BSI-2026-0040 | defect | 7 Header Action Buttons Compress at 375px | ux | Detained |
9afe5542 |
BSI-2026-0041 | compliance_gap | Accordion Focus Styles Invisible on Dark Background | accessibility | Detained |
S4 — Minor Indicators
| FP | ID | Kind | Finding | Domain | Status |
|---|---|---|---|---|---|
37f4b366 |
BSI-2026-0018a | weakness | OAuth Client ID Exposed in Page Source | security | Detained |
d4ade2b1 |
BSI-2026-0022 | design_debt | Blur Radius Has 4 Values No Design Token | design_system | Detained |
29cef05e |
BSI-2026-0023 | design_debt | 5+ Transition Timing Values No System | design_system | Detained |
10a22518 |
BSI-2026-0025 | design_debt | Three Syntaxes for Same Breakpoint | design_system | Detained |
52322318 |
BSI-2026-0026 | design_debt | Print CSS Scattered Across 4 Locations | design_system | Detained |
afc7b5ce |
BSI-2026-0028 | design_debt | Font Units Mixed rem px pt in Non-Print CSS | design_system | Detained |
0c1ad5f3 |
BSI-2026-0031 | defect | Charset Not First Element in head | seo | Detained |
3896d1a9 |
BSI-2026-0034 | compliance_gap | Domain Input Missing required Attribute | accessibility | Detained |
6ca93eea |
BSI-2026-0035 | compliance_gap | Search Hint Not Linked via aria-describedby | accessibility | Detained |
da7dadba |
BSI-2026-0036 | defect | Recon Mode Button Icon Only on Mobile | ux | Detained |
0f283daf |
BSI-2026-0037 | defect | ROE Script Tags Look Clickable But Are Not | ux | Detained |
25d86b64 |
BSI-2026-0038 | compliance_gap | TLP Dropdown Items Missing role Attribute | accessibility | Detained |
eb1cbc11 |
BSI-2026-0039 | defect | No Active Nav State on Analysis Pages | ux | Detained |
723ebe77 |
BSI-2026-0042 | design_debt | Skip Link Uses :focus Instead of :focus-visible | accessibility | Detained |
c6fba69e |
BSI-2026-0043 | design_debt | No @supports Fallback for backdrop-filter | design_system | Detained |
520e9201 |
BSI-2026-0044 | defect | TTL Tuner Promo Card Overflow at 375px | ux | Detained |
a3f29633 |
BSI-2026-0045 | defect | Footer Orphan Link to Nonexistent Page | seo | Detained |
Rendition Log
When a finding is eliminated, we record the kill. Date, commit hash, who pulled the trigger.
| BSI | Finding | Action | Date | Commit | Operative |
|---|---|---|---|---|---|
| BSI-2026-0008 | Copy Buttons Mouse-Only Visibility | RENDERED | 2026-03-18 | pending-sync |
Agent |
| BSI-2026-0008 | Copy Buttons Mouse-Only Visibility | RENDERED | 2026-03-18 | pending-sync |
Agent |
| BSI-2026-0007 | Architecture Page SVG Diagrams 404 | RENDERED | 2026-03-18 | pending-sync |
Agent |
| BSI-2026-0007 | Architecture Page SVG Diagrams 404 | RENDERED | 2026-03-18 | pending-sync |
Agent |
| BSI-2026-0006 | Compare Select Rows Keyboard Inaccessible | RENDERED | 2026-03-18 | pending-sync |
Agent |
| BSI-2026-0006 | Compare Select Rows Keyboard Inaccessible | RENDERED | 2026-03-18 | pending-sync |
Agent |
| BSI-2026-0005 | Stats Metric Label 2.1:1 Contrast Ratio | RENDERED | 2026-03-18 | pending-sync |
Agent |
| BSI-2026-0005 | Stats Metric Label 2.1:1 Contrast Ratio | RENDERED | 2026-03-18 | pending-sync |
Agent |
| BSI-2026-0004 | No prefers-reduced-motion in CSS | RENDERED | 2026-03-18 | pending-sync |
Agent |
| BSI-2026-0004 | No prefers-reduced-motion in CSS | RENDERED | 2026-03-18 | pending-sync |
Agent |
| BSI-2026-0003 | Golden Ratio Claim Scope Verification | RENDERED | 2026-03-18 | pending-sync |
Agent |
| BSI-2026-0003 | Golden Ratio Claim Scope Verification | RENDERED | 2026-03-18 | pending-sync |
Agent |
| BSI-2026-0002 | Glass Treatment Only on Posture Cards | RENDERED | 2026-03-18 | pending-sync |
Agent |
| BSI-2026-0002 | Glass Treatment Only on Posture Cards | RENDERED | 2026-03-18 | pending-sync |
Agent |
| BSI-2026-0001 | Covert Mode Is a Page Navigation, Not a Toggle | RENDERED | 2026-03-18 | pending-sync |
Agent |
| BSI-2026-0001 | Covert Mode Is a Page Navigation, Not a Toggle | RENDERED | 2026-03-18 | pending-sync |
Agent |
Audit Scores
External Audit — SquirrelScan
Internal Audit — Design Forensics
This facility is a living operation. Every bug gets a hash. Every hash gets a cell. They enter as Detained — they leave as Rendered — or they don’t leave at all.
This is what happens when you build software like you mean it.
This page queries PostgreSQL on every request. What you see is the live state of the operation — not a static report.
Declassified Archive