docs: mark SEC_REVIEW F26 as fixed in ce77454

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

doc/SEC_REVIEW.md

@@ -11,7 +11,7 @@
 >
 > Each finding is referenced as **F<N>** for later citation.
 >
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (16 fixed, 11 open), 42 sev-1.
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (17 fixed, 10 open), 42 sev-1.
 
 ---
 
@@ -935,6 +935,25 @@
   whose `getCode()` happens to be in the 4xx range bypass
   suppression and return raw messages.
 - **Severity: 2**
+- **Status:** Fixed in `ce77454`. `JsonErrorHandler` now maps every
+  HTTP status to a fixed `STATUS_TOKENS` lookup (`bad_request`,
+  `forbidden`, `too_many_requests`, …) and only emits that canonical
+  token in the `error` field. `Throwable::getMessage()` is no longer
+  echoed to clients in production for any branch — `HttpException`,
+  `HttpNotFoundException`, `HttpMethodNotAllowedException`, or
+  catch-all. Out-of-range `getCode()` (including the default `0` from
+  `new HttpException(...)`) is clamped to 500. Non-HttpException
+  Throwables always collapse to status 500 regardless of their
+  numeric code, closing the previous 4xx-bypass path. The raw
+  exception class + message are only added under a separate
+  `detail` key when `$displayErrorDetails` (Slim) or
+  `$exposeDetails` (dev env) is on. New unit-test suite
+  `JsonErrorHandlerTest` covers the canonical responses for
+  HttpNotFound/HttpMethodNotAllowed/HttpBadRequest/HttpForbidden/
+  HttpInternalServerError, the generic-Throwable 500 path, the
+  4xx-numeric-code-on-non-HttpException no-leak case, the clamp on
+  `code=0`, the unmapped-but-valid 418 fallback, the dev-mode
+  detail shape, and the per-request `displayErrorDetails` override.
 
 ### F27 — `RateLimitMiddleware` is skipped when no principal is present
 - **Files:** `api/src/Infrastructure/Http/Middleware/RateLimitMiddleware.php:33-36`