Security/quality backlog: hydra-gates security-semantic findings (Bucket B)

[rubenvdlinde]

Hydra security/quality backlog (Bucket B)

Security-semantic findings from an isolated full-repo hydra-gates scan of development (2026-05-26, 18 gates). These need per-method judgment, tracked here rather than bulk-patched.

⚠️ Counts re-verified with a contamination-proof scanner. An earlier version of this issue had inflated no-admin-idor counts — my first scan ran while the Hydra supervisor was concurrently writing to the shared /tmp/hydra-gate-*.log, clobbering some logs. These numbers are the corrected ones.

Findings (isolated re-scan)

Gate	Count
orphan-auth	2
no-admin-idor	2
semantic-auth	3
route-reachability	1
redundant-controller	4

Disposition / guidance — ADR-023

• no-admin-idor: real action-authorization gaps per ADR-023, not false positives. The data layer (who may read/write which objects) IS covered — OpenRegister's ObjectService::PermissionHandler enforces RBAC + multi-tenancy and throws on denied CRUD. But ADR-023 also requires every #[NoAdminRequired] method to gate the action via $this->actionAuth->requireAction($user, '<domain>.<verb>'). No app has adopted this yet — ActionAuthService lives only in nextcloud-app-template (and even there the admin matrix UI is missing); zero controllers fleet-wide call requireAction(). Fix = port the ADR-023 kit (ActionAuthService + InitializeActions repair + actions.seed.json + admin matrix UI) and add one requireAction() call per flagged method. Do NOT add isAdmin() guards — ADR-023 calls that the wrong layer (the decidesk Implement: Minutes and Decisions — Core T3 #44/Implement: Minutes and Decisions — Other T1 #45 bug). gate-7's regex already recognizes ->requireAction(.
• route-auth / semantic-auth: add/correct the NC auth attribute; pair #[NoAdminRequired] with requireAction().
• orphan-auth: dead auth helper — wire to a caller or remove.
• unsafe-auth-resolver: fail-open catch (\Throwable){return null;} — make it fail-closed.
• route-reachability: unrouted controller method / wrong-target route — register or fix.
• redundant-controller (ADR-022): pass-through wrapper of OR's ObjectService — delete the dead method (frontend already calls OR directly).
• stub-scan (real): genuine unfinished logic — implement properly.

The gate/skill is correct — do not relax it. This is the stalled ADR-023 migration (template → fleet); decidesk is the reference pilot. Note: these are static gate findings (the runtime security agent has not verified exploitability). Hydra's per-diff reviewer also enforces this on future PRs (ADR-020).

Fleet hydra-gates sweep, 2026-05-26. Mechanically-safe quality findings (SPDX, initial-state, NcSelect labels, modal isolation) were fixed + merged to development separately.