You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
VG951 (BOLA delete/update) is now AST-aware for the find → compare → mutate pattern: a bare-id mutation preceded by a post-fetch ownership comparison against the session is no longer falsely flagged.
Validated on real production code (clean stash diff): 2 false positives removed, both genuinely ownership-guarded; 0 true positives lost, 0 other-rule drift.
Reuses the existing AST engine (shared anchor + ownership-comparison helpers); no rule or tool count change (442 / 37).
