docs: mark SEC_REVIEW F30 as fixed in 2cc1924

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

doc/SEC_REVIEW.md

@@ -11,7 +11,7 @@
 >
 > Each finding is referenced as **F<N>** for later citation.
 >
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (20 fixed, 7 open), 42 sev-1.
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (21 fixed, 6 open), 42 sev-1.
 
 ---
 
@@ -1070,6 +1070,24 @@
   statement timeout. Each request also runs a separate `COUNT(*)`
   over the same wrapped subquery, doubling cost.
 - **Severity: 2**
+- **Status:** Fixed in `2cc1924`. `IpsController::parseSearchFilters`
+  rejects any `q` that doesn't match `/^[0-9a-fA-F:.]+$/` or exceeds
+  64 chars (IPv6 max is 39) with 400 `validation_failed`, so the
+  non-anchored substring path can no longer be reached from the API.
+  `IpScoreRepository::searchIps` drops the `%q%` branch entirely —
+  the only LIKE shape it ever issues is `s.ip_text LIKE 'q%'`, and
+  it re-validates `q` with the same regex as defence-in-depth so a
+  future caller cannot accidentally reintroduce a full-table scan.
+  Same change incidentally closes F46 (`%`/`_` wildcard injection in
+  the IPs search), since neither character survives the regex.
+  Pre-auth and per-token admin rate limits added under F29
+  bound the cost of even the legitimate prefix path. The remaining
+  `COUNT(*)` cost on deep filters is tracked under F31/F32.
+  Regression tests in
+  `api/tests/Integration/Admin/IpsControllerTest.php`
+  (`testSearchRejectsNonIpShapedQuery`,
+  `testSearchRejectsOverlongQuery`,
+  `testSearchQueryIsPrefixAnchoredNotSubstring`).
 
 ### F31 — `AuditController` has no length cap, no max-offset cap, deep-offset scans
 - **Files:** `api/src/Application/Admin/AuditController.php:58-101`,