docs: mark SEC_REVIEW F40 as fixed in 30c0604

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

doc/SEC_REVIEW.md

@@ -11,7 +11,7 @@
 >
 > Each finding is referenced as **F<N>** for later citation.
 >
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (7 fixed, 35 open).
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (8 fixed, 34 open).
 
 ---
 
@@ -1370,6 +1370,24 @@
   hardening: regenerate the CSRF token on login/logout. (`clear()`
   resets `$_SESSION` to `[]` so logout is fine.)
 - **Severity: 1**
+- **Status:** Fixed. `SessionManager::regenerateId()` now also drops
+  the `_csrf` slot on both branches (HTTP `session_regenerate_id(true)`
+  and the CLI `rotateIdUnderCli` fallback). `CsrfMiddleware` lazily
+  mints a fresh token on the next request when the slot is missing,
+  and every call site of `regenerateId()` is followed by a 303 / 302
+  redirect (no template render in the same request), so the next
+  protected GET re-issues a clean token before any state-changing
+  request. `clear()` already wipes `$_SESSION` outright on logout, so
+  the rotate-on-id-rotate hook on `regenerateId` covers the login
+  direction; an attacker who scraped the pre-auth token via Referer
+  or a sub-resource leak cannot replay it post-auth. New `KEY_CSRF`
+  constant on `SessionManager` mirrors `CsrfMiddleware::SESSION_KEY`
+  to avoid a domain → http-layer dependency. Regression tests in
+  `ui/tests/Unit/Auth/SessionManagerTest.php`
+  (`testRegenerateIdRotatesCsrfTokenInCliMode` /
+  `…InHttpMode`) and end-to-end through Slim in
+  `ui/tests/Integration/Auth/LocalLoginTest.php`
+  (`testCsrfTokenIsRotatedAcrossLoginPrivilegeBoundary`).
 
 ### F41 — Reporter / consumer `audit_enabled` is mass-assignable via PATCH
 - **Files:** `api/src/Application/Admin/ReportersController.php:178-184`,