{
  "date": "2026-05-15",
  "scope": "av-gesamt",
  "mode": "tief",
  "next_audit_due": "2026-05-29",
  "findings": [
    {"id": "F001", "scope": "hosted-mcps", "severity": "CRIT", "category": "Webhook-Auth", "title": "mcp-whatsapp /mcp ohne Auth", "verified": true, "fixed": true, "fixed_at": "2026-05-15", "note": "Cloudflare Access mcp* path, Policy Marvin only, verified per curl 302"},
    {"id": "F002", "scope": "hosted-mcps", "severity": "CRIT", "category": "Webhook-Auth", "title": "mcp-whatsapp /webhook ohne HMAC-SHA256", "verified": true, "fixed": "pr-pending", "blocker_for": "friseur-live", "pr": "https://github.com/agentic-ventures/mcps/pull/1", "deploy_blocker": "APP_SECRET in Secret mcp-whatsapp-hosted/whatsapp-config-825vxB ergaenzen"},
    {"id": "F003", "scope": "vault-plugin", "severity": "CRIT", "category": "Secrets", "title": "Live-Tokens in ~/.claude.json (GitHub-PAT + ElevenLabs)", "verified": true, "fixed": false},
    {"id": "F004", "scope": "aws-org", "severity": "CRIT", "category": "Auth-Failures", "title": "Mgmt-Account Root-Access-Keys + IAM-User mkuehlmann ohne MFA", "verified": true, "fixed": false},
    {"id": "F005", "scope": "aws-org", "severity": "CRIT", "category": "Auth-Failures", "title": "3 Accounts ohne Root-MFA (av-prod, av-becker, mk-privat)", "verified": true, "fixed": false},
    {"id": "F006", "scope": "agents-platform", "severity": "HIGH", "category": "Supply-Chain", "title": "fast-uri CVE 7.5 via aws-cdk-lib (build-time)", "verified": true, "fixed": "pr-pending", "pr": "https://github.com/agentic-ventures/agents-platform/pull/1"},
    {"id": "F007", "scope": "hetzner-dns", "severity": "HIGH", "category": "Misconfig", "title": "DNSSEC + CAA fehlen auf beiden Domains", "verified": true, "fixed": false},
    {"id": "F008", "scope": "hetzner-dns", "severity": "HIGH", "category": "Auth-Failures", "title": "pdf.agenticventures.de mit Stirling-Default-Login admin/stirling-pdf", "verified": true, "fixed": false},
    {"id": "F009", "scope": "hetzner-dns", "severity": "HIGH", "category": "Misconfig", "title": "SSH 0.0.0.0/0 auf av-tools-stirling-01", "verified": true, "fixed": false},
    {"id": "F010", "scope": "vault-plugin", "severity": "HIGH", "category": "Misconfig", "title": ".claude/settings.local.json Allowlist zu breit", "verified": true, "fixed": true, "fixed_at": "2026-05-15", "note": "lokal angewandt (gitignored), enge Patterns"},
    {"id": "F011", "scope": "icking-rebuild", "severity": "HIGH", "category": "LLM-Cost-Attack", "title": "/chat ohne Rate-Limit (slowapi nicht verdrahtet)", "verified": true, "fixed": "pr-pending", "pr": "https://github.com/marvin-khl/a-icking/pull/4"},
    {"id": "F012", "scope": "icking-rebuild", "severity": "HIGH", "category": "Misconfig", "title": "cloudflared-Sidecar essential=false (Tunnel-Crash haelt App reachable)", "verified": true, "fixed": "pr-pending", "pr": "https://github.com/marvin-khl/a-icking/pull/4"},
    {"id": "F013", "scope": "agents-platform", "severity": "MED", "category": "Info-Disclosure", "title": "dashboard-presignup leakt Whitelist-Modell", "verified": true, "fixed": "pr-pending", "pr": "https://github.com/agentic-ventures/agents-platform/pull/1"},
    {"id": "F014", "scope": "eigenbau-mcps", "severity": "MED", "category": "Blast-Radius", "title": "mcp-papierkram 57 Write-Tools hinter einem OAuth-Scope", "verified": true, "fixed": false},
    {"id": "F015", "scope": "eigenbau-mcps", "severity": "MED", "category": "Supply-Chain", "title": "mcp-gsuite oauth2client==4.1.3 deprecated", "verified": true, "fixed": false},
    {"id": "F016", "scope": "hosted-mcps", "severity": "MED", "category": "Supply-Chain", "title": "mcp-whatsapp cloudflared:latest ohne Digest", "verified": true, "fixed": "pr-pending", "pr": "https://github.com/agentic-ventures/mcps/pull/1"},
    {"id": "F017", "scope": "hosted-mcps", "severity": "MED", "category": "CI/CD", "title": "mcp-whatsapp ohne CI/Lint/gitleaks", "verified": true, "fixed": "pr-pending", "pr": "https://github.com/agentic-ventures/mcps/pull/1"},
    {"id": "F018", "scope": "vault-plugin", "severity": "MED", "category": "Data-Classification", "title": "260 internal-Files committed ohne pre-commit-Guard", "verified": true, "fixed": "pr-pending", "pr": "https://github.com/marvin-khl/agentic-ventures/pull/1"},
    {"id": "F019", "scope": "aws-org", "severity": "MED", "category": "Secrets", "title": "25 Secrets in av-prod ohne Rotation", "verified": true, "fixed": false},
    {"id": "F020", "scope": "aws-org", "severity": "MED", "category": "Detection-Gap", "title": "GuardDuty nur in becker, 3/4 Accounts blind", "verified": true, "fixed": true, "fixed_at": "2026-05-15", "note": "Org-weit Auto-Enable, av-prod delegated admin"},
    {"id": "F021", "scope": "aws-org", "severity": "MED", "category": "Detection-Gap", "title": "Kein Access Analyzer in keinem Account", "verified": true, "fixed": true, "fixed_at": "2026-05-15", "note": "Org-Analyzer av-org-analyzer in av-prod"},
    {"id": "F022", "scope": "icking-rebuild", "severity": "MED", "category": "LLM-Prompt-Injection", "title": "/chat User-Content ohne Filter, RAG-Hits in System-Prompt", "verified": true, "fixed": false},
    {"id": "F023", "scope": "icking-rebuild", "severity": "MED", "category": "Misconfig", "title": "Default-VPC fuer Prod-Workload", "verified": true, "fixed": false},
    {"id": "F024", "scope": "hetzner-dns", "severity": "MED", "category": "Data-Classification", "title": "age-Key-Management fuer 7y-Audit-Buckets nicht spec'd", "verified": true, "fixed": false}
  ],
  "summary": {
    "crit": 5,
    "high": 7,
    "med": 12,
    "low": 0,
    "total": 24
  },
  "blockers": ["friseur-live"]
}