docs: mark SEC_REVIEW F38 as fixed in d37890b

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

doc/SEC_REVIEW.md

@@ -11,7 +11,7 @@
 >
 > Each finding is referenced as **F<N>** for later citation.
 >
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (5 fixed, 37 open).
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (6 fixed, 36 open).
 
 ---
 
@@ -1313,6 +1313,22 @@
   with no rate-limit. Worker threads still serve the request — a
   cheap DoS lever on environments with the local path disabled.
 - **Severity: 1**
+- **Status:** Fixed. `LocalLoginController::postLocal` now records a
+  `LoginThrottle` failure on the disabled-path branch before returning
+  the 404. The bucket key is `('', source_ip)` — an empty username
+  sentinel — so all hits from one source IP fold into the same per-IP
+  bucket regardless of what username field the attacker happens to
+  submit, defeating a rotating-username spray. Once locked, additional
+  hits skip `recordFailure` (the gate is `if (!isLocked) recordFailure`),
+  so the throttle file size is bounded by the lockout ladder rather
+  than by attacker request volume. The 404 status code is preserved on
+  both the locked and unlocked branches so the response doesn't leak
+  the lockout state to a probing attacker. Regression tests in
+  `ui/tests/Integration/Auth/LocalLoginTest.php`:
+  `testDisabledLocalAdminRecordsThrottleFailure` (5 hits with rotating
+  usernames from one IP trip the lockout) and
+  `testDisabledLocalAdminLockedHitDoesNotIncrementBucket` (50 more
+  hits while locked don't extend the lockout window).
 
 ### F39 — Token base32 encoding has trailing-bit ambiguity
 - **Files:** `api/src/Domain/Auth/Token.php:18, 47`,