Reported by external reviewer
On a real-world target, COOP/COEP detector emitted 13 identical clusters — one per page route. The bug (if real) is a single header-config issue at the server level, not 13 separate per-page bugs. Cluster signature is too narrow.
Note
This is separate from issue #110 (which addresses the false-positive trigger). Even after #110 lands and the detector only fires on real `new SharedArrayBuffer()` instantiation, when it does fire it should:
- Cluster all per-route findings under one signature
- Show the affected routes as occurrences within that cluster
Fix
Update the cluster signature to omit the per-route URL. Use only:
- Detector kind (`coop_coep_violation`)
- Header-config-class signature (which header was missing/mis-set)
- Origin (origin-level matters; sub-route does not)
Then 13 finding-events from 13 routes should collapse to 1 cluster with 13 occurrences.
Priority
High once #110 lands — at that point the detector will fire less often but still cluster wrong.
Reported by external reviewer
On a real-world target, COOP/COEP detector emitted 13 identical clusters — one per page route. The bug (if real) is a single header-config issue at the server level, not 13 separate per-page bugs. Cluster signature is too narrow.
Note
This is separate from issue #110 (which addresses the false-positive trigger). Even after #110 lands and the detector only fires on real `new SharedArrayBuffer()` instantiation, when it does fire it should:
Fix
Update the cluster signature to omit the per-route URL. Use only:
Then 13 finding-events from 13 routes should collapse to 1 cluster with 13 occurrences.
Priority
High once #110 lands — at that point the detector will fire less often but still cluster wrong.