diff --git a/server.js b/server.js
index bf508d0..5dba604 100644
--- a/server.js
+++ b/server.js
@@ -75,3 +75,7 @@ app.get("/account/:userId", (req, res) => {
 });
 
 app.listen(3000);
+// trigger scan - verify PR review comments
+// trigger
+// trigger 1776035336
+// verify 1776049982
diff --git a/verify-deploy.txt b/verify-deploy.txt
new file mode 100644
index 0000000..89cf233
--- /dev/null
+++ b/verify-deploy.txt
@@ -0,0 +1 @@
+Tue Apr 28 18:31:33 PDT 2026
diff --git a/vuln-test.js b/vuln-test.js
new file mode 100644
index 0000000..de3a750
--- /dev/null
+++ b/vuln-test.js
@@ -0,0 +1,29 @@
+// Deliberately vulnerable file to verify PR review comments
+const express = require("express");
+const app = express();
+
+// Hardcoded API key - should trigger finding
+const STRIPE_KEY = "sk-test-FAKE-verify-pr-comments-1234567890abcdef";
+
+// SQL injection via string concat
+app.get("/search", (req, res) => {
+  const query = "SELECT * FROM products WHERE name = '" + req.query.q + "'";
+  db.query(query, (err, results) => res.json(results));
+});
+
+// Path traversal
+app.get("/download", (req, res) => {
+  const fs = require("fs");
+  const content = fs.readFileSync("/files/" + req.params.file, "utf8");
+  res.send(content);
+});
+
+// Open redirect
+app.get("/go", (req, res) => {
+  res.redirect(req.query.url);
+});
+
+app.listen(4000);
+// verify-pr-1776130797
+// trigger scan after blob-sha fix 1776131745
+// re-trigger after deploy confirmed live 1776131829