code-review: 2026-05-28 baseline re-review of all 23 modules at 1eb6e97

Re-applies the full 10-category checklist to every src/ project — including
first-time reviews of the four newer components (AuditLog, NotificationOutbox,
SiteCallAudit, Transport) — so the code-reviews/ index reflects today's
codebase rather than the 2026-05-16 baseline. 172 new Open findings (0
Critical, 18 High, 62 Medium, 92 Low); 481 findings total across 23 modules.

regen-readme.py now derives each module's Last reviewed + Commit from its
findings.md header instead of hard-coding 2026-05-16 / 9c60592, so future
single-module re-reviews show their own date in the Module Status table.

code-reviews/regen-readme.py

@@ -33,9 +33,21 @@ def discover_modules():
     return modules
 
 
+def parse_header(module, text):
+    """Extract (last_reviewed, commit) from the module's header table.
+    Falls back to the historical baseline when the field is absent or templated."""
+    last = re.search(r"\|\s*Last reviewed\s*\|\s*([0-9]{4}-[0-9]{2}-[0-9]{2})", text)
+    commit = re.search(r"\|\s*Commit reviewed\s*\|\s*`([^`]+)`", text)
+    return (
+        last.group(1) if last else "2026-05-16",
+        commit.group(1) if commit else "9c60592",
+    )
+
+
 def parse_findings(module):
-    """Parse one module's findings.md into (module, id, severity, title, status) tuples."""
+    """Parse one module's findings.md into ((last_reviewed, commit), [(module, id, severity, title, status), ...])."""
     text = open(os.path.join(BASE, module, "findings.md")).read()
+    header = parse_header(module, text)
     findings = []
     for block in re.split(r"^### ", text, flags=re.M)[1:]:
         head = block.splitlines()[0].strip()
@@ -49,7 +61,7 @@ def parse_findings(module):
         if not sev or not status:
             raise SystemExit(f"{module}/findings.md: {fid} is missing a Severity or Status field")
         findings.append((module, fid, sev.group(1), title, status.group(1).strip()))
-    return findings
+    return header, findings
 
 
 def finding_number(finding):
@@ -58,7 +70,7 @@ def finding_number(finding):
 
 def build_readme(modules, per_module):
     pending = sorted(
-        (f for fs in per_module.values() for f in fs if f[4] in PENDING_STATUSES),
+        (f for fs in per_module.values() for f in fs[1] if f[4] in PENDING_STATUSES),
         key=lambda f: (SEVERITY_ORDER.get(f[2], 9), f[0], finding_number(f)),
     )
 
@@ -66,7 +78,7 @@ def build_readme(modules, per_module):
         return sum(1 for f in pending if f[2] == sev)
 
     def open_count(module, sev):
-        return sum(1 for f in per_module[module]
+        return sum(1 for f in per_module[module][1]
                    if f[2] == sev and f[4] in PENDING_STATUSES)
 
     lines = []
@@ -123,9 +135,10 @@ def build_readme(modules, per_module):
     add("|--------|---------------|--------|----------------|------|-------|")
     for module in modules:
         counts = [open_count(module, s) for s in ("Critical", "High", "Medium", "Low")]
-        add(f"| [{module}]({module}/findings.md) | 2026-05-16 | `9c60592` "
+        last_reviewed, commit = per_module[module][0]
+        add(f"| [{module}]({module}/findings.md) | {last_reviewed} | `{commit}` "
             f"| {counts[0]}/{counts[1]}/{counts[2]}/{counts[3]} "
-            f"| {sum(counts)} | {len(per_module[module])} |")
+            f"| {sum(counts)} | {len(per_module[module][1])} |")
     add("")
     add("## Pending Findings")
     add("")
@@ -159,8 +172,8 @@ def main():
 
     readme_path = os.path.join(BASE, "README.md")
     pending = sum(1 for fs in per_module.values()
-                  for f in fs if f[4] in PENDING_STATUSES)
-    total = sum(len(fs) for fs in per_module.values())
+                  for f in fs[1] if f[4] in PENDING_STATUSES)
+    total = sum(len(fs[1]) for fs in per_module.values())
 
     if check:
         current = open(readme_path).read() if os.path.exists(readme_path) else ""