docs: mark SEC_REVIEW F42 as fixed in cc77749

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

doc/SEC_REVIEW.md

@@ -11,7 +11,7 @@
 >
 > Each finding is referenced as **F<N>** for later citation.
 >
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (9 fixed, 33 open).
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (10 fixed, 32 open).
 
 ---
 
@@ -1427,6 +1427,23 @@
   silently allows access until an API 403 surfaces. Defense-in-depth:
   enforce the role expectation in the UI controller.
 - **Severity: 1**
+- **Status:** Fixed. New `PoliciesController::PROXY_ALLOWED_ROLES =
+  ['viewer', 'operator', 'admin']` constant captures the api's
+  Viewer-or-higher gate. Both proxy methods now early-return 403 with
+  a `{"error": "forbidden"}` JSON body when the session user's role
+  isn't in that allowlist — covering `none`, the empty string, and
+  any unrecognised role string. The api is not called in that branch,
+  so a `none`-role session that somehow reached the protected
+  `/app/*` route group cannot use the proxy as a probe channel.
+  AuthRequiredMiddleware still intercepts truly-anonymous requests
+  earlier in the chain (302 → /login); the controller's own 401
+  branch is the defence-in-depth fallback for any future route
+  reshuffle that pulls the proxy out of `/app/*`. Regression tests:
+  `ui/tests/Integration/Auth/PoliciesProxyTest.php` covers
+  anonymous-redirect, none-role-403 + zero-api-calls,
+  score-distribution-proxy mirror, viewer-allowed,
+  operator-and-admin-allowed, unknown-role-rejected, and
+  empty-role-rejected.
 
 ### F43 — `/admin/ips/{ip:.+}` route pattern is permissive
 - **Files:** `api/src/App/AppFactory.php:256`,