docs: mark SEC_REVIEW F65 as fixed in c439ce1

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

doc/SEC_REVIEW.md

@@ -11,7 +11,7 @@
 >
 > Each finding is referenced as **F<N>** for later citation.
 >
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (32 fixed, 10 open).
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (33 fixed, 9 open).
 
 ---
 
@@ -2082,6 +2082,25 @@
   Add a JWT regex
   `^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$`.
 - **Severity: 1**
+- **Status:** Fixed. Both `SecretScrubbingProcessor` value-pattern
+  lists (api and ui) gained two entries:
+  - `\beyJ[A-Za-z0-9_-]{4,}\.[A-Za-z0-9_-]{4,}\.[A-Za-z0-9_-]{4,}\b`
+    → `eyJ***`. Anchored on `eyJ` because every JWT header is the
+    base64url encoding of a JSON object that starts with `{"…`,
+    which is `eyJ…`. Anchoring eliminates false positives on
+    dotted-quad IPs (`192.168.1.1`), shared-object names
+    (`lib.so.6`), and arbitrary `a.b.c`-shaped prose; the per-
+    segment `{4,}` floor skips pathological short matches.
+  - The Bearer floor `[A-Za-z0-9._\-]{20,}` was lowered to `{8,}`
+    so a `Bearer abc12345` short token (the SEC_REVIEW called
+    out `< 20 char` Bearers slipping through) gets caught.
+  Regression tests:
+  - api: `testRawJwtInValueIsScrubbed`,
+    `testRawJwtInMessageIsScrubbed`,
+    `testShortBearerTokenIsScrubbed`,
+    `testIpAddressDoesNotMatchJwtRegex` (false-positive guard).
+  - ui: `testRawJwtInValueIsScrubbed`, `testShortBearerIsScrubbed`.
+  All existing tests still pass.
 
 ### F66 — `APP_SECRET` and `UI_SECRET` declared but unused
 - **Files:** `.env.example:23, 82`,