KyZN: fix HIGH+MEDIUM+LOW findings (20260329-132602-2a6016fd)

[bokiko]

Analysis Fixes

Applied fixes for findings at severity LOW and above.

Run ID: 20260329-132602-2a6016fd
Cost: $0.49
Batches: 3 applied (HIGH → MEDIUM → LOW), 0 failed, 0 skipped
Diff: 8 lines

Changes

 README.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

What Was Fixed

HIGH: ## Summary

SEC-001 — Removed -k flag from curl command in README.md:164

• Change: curl -o- -k https://... → curl -o- https://...
• Why: The -k/--insecure flag disabled SSL certificate verification. Combined with | bash, this allowed a MITM attacker to inject arbitrary code. The target (raw.githubusercontent.com) has a valid cert, so the flag was both unnecessary and dangerous.

MEDIUM: Both fixes applied:

• BUG-001 — README.md:42: Changed Rock 5A (RK3588) → Rock 5A (RK3588S) (correct chipset variant)
• SEC-002 — README.md:118: Added security blockquote after the password change prompt, advising users to set a strong password and disable SSH password login

LOW: ARCH-001 — README.md:143: Replaced tmux with screen in the apt install command, aligning the essential packages list with the screen-based session management used throughout the guide.

Approach

Findings were batched by severity tier (CRITICAL → HIGH → MEDIUM → LOW).
Each batch was verified and committed independently — if a batch broke tests,
self-repair was attempted. Failed batches were reverted to protect passing code.
Diff budget was tracked incrementally to prevent waste.

---

Generated by KyZN — autonomous code improvement

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.