[
  {
    "id": "LUMI-001",
    "severity": "High",
    "title": "Missing CSRF protection on state-changing routes",
    "affected": [
      "/admin/*",
      "/profile/*",
      "/auth/logout"
    ],
    "evidence": "No CSRF middleware in src/web/server.js; POST routes rely solely on session cookies.",
    "impact": "Logged-in admins can be tricked into executing sensitive actions (plugin install/update, settings changes, restart).",
    "fix": "Add CSRF tokens or Origin/Referer checks and set SameSite cookies."
  },
  {
    "id": "LUMI-002",
    "severity": "Medium",
    "title": "Session cookie missing Secure and SameSite",
    "affected": [
      "/"
    ],
    "evidence": "Set-Cookie: connect.sid=...; Path=/; HttpOnly (no Secure/SameSite)",
    "impact": "Session cookie may be sent over HTTP or cross-site requests; increases CSRF/session hijack risk.",
    "fix": "Configure express-session cookie options with Secure and SameSite=Lax; set trust proxy behind TLS."
  },
  {
    "id": "LUMI-003",
    "severity": "Medium",
    "title": "Session fixation risk after OAuth login",
    "affected": [
      "/auth/discord/callback",
      "/auth/twitch/callback"
    ],
    "evidence": "Session is populated without regeneration in src/web/server.js (req.session.user set directly).",
    "impact": "An attacker who can set a session ID before login could reuse it after the victim authenticates.",
    "fix": "Call req.session.regenerate() before setting authenticated session data."
  },
  {
    "id": "LUMI-004",
    "severity": "Medium",
    "title": "Plugin route role not enforced",
    "affected": [
      "/plugins/sample-plugin",
      "/plugins/*"
    ],
    "evidence": "web.mount uses app.use without role guard; sample plugin labeled admin is accessible publicly.",
    "impact": "Plugin pages intended for admins can be reachable by unauthenticated users.",
    "fix": "Enforce navItem.role in web.mount with requireRole(role)."
  },
  {
    "id": "LUMI-005",
    "severity": "Low",
    "title": "Missing baseline security headers",
    "affected": [
      "/",
      "/commands",
      "/leaderboards"
    ],
    "evidence": "No CSP/XFO/XCTO/Referrer-Policy/Permissions-Policy headers; X-Powered-By present.",
    "impact": "Increases exposure to clickjacking/XSS/mime sniffing and framework fingerprinting.",
    "fix": "Use helmet and disable x-powered-by."
  }
]