docs: mark SEC_REVIEW F59 as fixed in 206db1e

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

doc/SEC_REVIEW.md

@@ -11,7 +11,7 @@
 >
 > Each finding is referenced as **F<N>** for later citation.
 >
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (26 fixed, 16 open).
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (27 fixed, 15 open).
 
 ---
 
@@ -1932,6 +1932,25 @@
   only `geolocation`, `microphone`, `camera`. Cheap to add the
   rest.
 - **Severity: 1**
+- **Status:** Fixed. Both Caddyfiles now emit:
+  - `Cross-Origin-Opener-Policy: same-origin` — isolates the
+    browsing context from any popups it opens; a
+    `window.opener.location = …` from a newly-spawned
+    cross-origin tab can no longer reach back into the app.
+  - `Cross-Origin-Resource-Policy: same-origin` — tells the
+    browser the resource may only be loaded by same-origin
+    documents (defeats sub-resource leaks via cross-origin
+    `<img>`/`<script>`/`<link>` inclusion).
+  - `X-Permitted-Cross-Domain-Policies: none` — blocks legacy
+    Adobe Flash / Acrobat `crossdomain.xml` lookups.
+  COEP `require-corp` was deliberately *not* added: it would
+  require every cross-origin resource (e.g. the jsDelivr-hosted
+  RapiDoc on `/api/docs`) to opt in via CORP, which we don't
+  control. The SEC_REVIEW called out COOP / CORP / X-Permitted-
+  CDP only; sticking to that scope. (`Permissions-Policy`
+  hardening — F61 — is tracked separately.) Caddyfile syntax is
+  validated with `frankenphp validate --config … --adapter
+  caddyfile` ("Valid configuration") on both files.
 
 ### F60 — HSTS lacks `preload`
 - **Files:** `ui/docker/Caddyfile:37`, `api/docker/Caddyfile:36`