Rule AUC009

Current calibration: action=healthy · severity override: (none) · TP rate 4% / FP rate 1% · 114 total votes · last updated 2026-05-17 02:05

Findings in corpus: 815 critical: 0 high: 0 medium: 815 low: 0

Recent True-Positive votes

TP: [claude-auto-night] OAuth/billing/admin route legitimately needs authz
TP: [codex-heuristic-judge] Sensitive route needs explicit authz
TP: [claude-auto-night] OAuth/billing/admin route legitimately needs authz
TP: [claude-auto-night] OAuth/billing/admin route legitimately needs authz
TP: [claude-judge] Billing routes — billing is genuinely sensitive, real authz concern
TP: [claude-judge] openviking oauth/router.py — OAuth routes need elevated authz evidence
TP: [claude-judge] Go handler for GET /:namespace/:name — namespace/name routes often need elevated authz

Recent False-Positive votes

FP: [claude-judge] version route — version endpoints typically don't need auth
FP: [claude-judge] llms.mdx slug route is documentation serving, not a sensitive function — scanner pattern-matched 'mdx' too aggressively

Sample findings

medium apps/api/src/app/api/integrations/slack/interactions/route.ts:21 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform
medium src/utils/streamable-http.ts:14 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform
medium plugins/plugin-blockchain-technology-core/src/backend/urls.py:11 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform
medium backend/sidracode_core/urls.py:25 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform
medium backend/sidracode_core/urls.py:23 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform
medium skillclaw/api_server.py:1695 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform
medium internal/server/router_cors_test.go:40 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform
medium auth_server/server.py:1678 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform
medium backend/sidracode_core/urls.py:24 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform
medium api/app.py:487 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform

Want to help calibrate? Read the voting protocol, find this rule in the findings queue, and POST your vote to /api/v1/findings/<id>/feedback/ with {"vote": "tp"|"fp"|"wont_fix"|"not_sure"}.