docs: mark SEC_REVIEW F44 as fixed in 1a705f6

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

doc/SEC_REVIEW.md

@@ -11,7 +11,7 @@
 >
 > Each finding is referenced as **F<N>** for later citation.
 >
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (11 fixed, 31 open).
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (12 fixed, 30 open).
 
 ---
 
@@ -1485,6 +1485,20 @@
   into log injection or forged audit entries. Validate against
   `^[a-z0-9_-]+$` in the controller.
 - **Severity: 1**
+- **Status:** Fixed. New `JobsAdminController::JOB_NAME_PATTERN`
+  constant `^[a-z0-9_-]+$`; `trigger()` now `preg_match`s the
+  `{name}` segment against it as the first thing it does, returning
+  the same 404 `unknown_job` envelope used for the missing-job
+  branch. The check runs *before* `registry->has()` and *before* the
+  `job.triggered` audit emit, so a future refactor that turns
+  `has()` permissive on trim/url-decode/case-folding cannot escalate
+  the route into log injection or forged audit entries. Regression
+  tests in
+  `api/tests/Integration/Admin/JobsAdminControllerTest.php` —
+  `testTriggerRejectsMalformedJobName` data-provider covers
+  uppercase, dotted, space, CR/LF injection, brackets, percent-
+  encoded space, and `..` — every case must 404 AND leave zero
+  `job.triggered` rows in `audit_log`.
 
 ### F45 — `InternalNetworkMiddleware` admits the entire RFC1918 universe
 - **File:** `api/src/Infrastructure/Http/Middleware/InternalNetworkMiddleware.php:29-35`