Low, Functional: Filter and date-range state is read from the URL on mount but never written back. useSearchParams() is read once inside the useReducer initializer (here and the parseAuditReportFilters call below), and submit-report/filter changes only update local reducer state. There is no router.replace/pushState anywhere in the file.

The PR notes describe this state as "URL-backed," but it is one-way: a pasted deep link is honored on first load, yet once the user changes the period or a filter the address bar goes stale. They cannot bookmark or share the view they are looking at, and back/forward will not move between filter states. For an audit report this sharing case is plausible.

Suggestion: on submit-report (and optionally filter changes), push the current range and filters to the URL with router.replace. If read-only deep-linking is the intended scope, consider softening the "URL-backed" wording so it does not imply round-tripping.

Low, Design: This getAnalysisPresentation and getAnalysisStatus in FindingDetailDialog.tsx both map analysis_status + sandboxAnalysis.isExploitable + triage.suggestedAction to a label and tone, and they have already drifted. This helper omits the sandbox.extractionStatus === 'failed' and isExploitable === 'unknown' branches the dialog handles, and labels the not-exploitable case "Not exploitable" where the dialog says "No reachable path."

The result is that the same finding can read differently depending on whether it is shown in the list or the detail dialog. Only this helper is unit-tested.

Suggestion: extract one shared, tested helper for the analysis-status-to-presentation mapping (surfaces can still pick their own icon/tooltip from a common state), or at minimum add a test around the dialog's getAnalysisStatus so the two stay aligned.

Nit, Design: formatReportDateTime reshapes the formatted string with .replace(/, (\d{2}:\d{2} UTC)$/, ' at $1'), which depends on the exact Intl.DateTimeFormat output shape. If an ICU/runtime version formats the parts differently the replace silently no-ops and you get the unmodified string. Degradation is graceful, just brittle. Assembling the date and time from formatToParts (or composing two formatters) would avoid relying on the output layout.