diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..1a79210
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,35 @@
+name: CI
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: PHP 8.4 / Test & Analyse
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.4'
+          extensions: curl, mbstring, xml
+          coverage: xdebug
+
+      - name: Install dependencies
+        run: composer install --prefer-dist --no-progress --no-interaction
+
+      - name: Run tests with coverage
+        run: vendor/bin/pest --coverage --min=80
+
+      - name: Run PHPStan
+        run: vendor/bin/phpstan analyse --no-progress
diff --git a/.omc/state/checkpoints/checkpoint-2026-03-10T08-14-41-766Z.json b/.omc/state/checkpoints/checkpoint-2026-03-10T08-14-41-766Z.json
new file mode 100644
index 0000000..acc51c1
--- /dev/null
+++ b/.omc/state/checkpoints/checkpoint-2026-03-10T08-14-41-766Z.json
@@ -0,0 +1,11 @@
+{
+  "created_at": "2026-03-10T08:14:41.765Z",
+  "trigger": "auto",
+  "active_modes": {},
+  "todo_summary": {
+    "pending": 0,
+    "in_progress": 0,
+    "completed": 0
+  },
+  "wisdom_exported": false
+}
\ No newline at end of file
diff --git a/.omc/state/subagent-tracking.json b/.omc/state/subagent-tracking.json
new file mode 100644
index 0000000..f6b7431
--- /dev/null
+++ b/.omc/state/subagent-tracking.json
@@ -0,0 +1,26 @@
+{
+  "agents": [
+    {
+      "agent_id": "a699400d97bee152d",
+      "agent_type": "Explore",
+      "started_at": "2026-03-10T08:10:14.616Z",
+      "parent_mode": "none",
+      "status": "failed",
+      "completed_at": "2026-03-10T08:11:31.007Z",
+      "duration_ms": 76391
+    },
+    {
+      "agent_id": "a308486ee44f9c951",
+      "agent_type": "Explore",
+      "started_at": "2026-03-10T08:12:45.759Z",
+      "parent_mode": "none",
+      "status": "failed",
+      "completed_at": "2026-03-10T08:14:41.642Z",
+      "duration_ms": 115883
+    }
+  ],
+  "total_spawned": 2,
+  "total_completed": 0,
+  "total_failed": 2,
+  "last_updated": "2026-03-10T08:16:10.392Z"
+}
\ No newline at end of file
diff --git a/BACKLOG.md b/BACKLOG.md
new file mode 100644
index 0000000..d6d65cb
--- /dev/null
+++ b/BACKLOG.md
@@ -0,0 +1,177 @@
+# plugin_webseer — Backlog
+
+---
+
+### Issue #1: security(sql): parameterise email address in plugin_webseer_update_contacts()
+- **Priority**: high
+- **Labels**: [security, sql-injection, hardening]
+- **Branch**: `security/1-parameterise-contacts-email`
+- **Evidence**: `includes/functions.php:319-325` — `db_execute("REPLACE INTO plugin_webseer_contacts ... '" . $u['email_address'] . "'")`
+- **Acceptance criteria**:
+  - [ ] Both `db_execute()` calls replaced with `db_execute_prepared()` using `?` placeholders
+  - [ ] `$u['id']`, `$cid`, and `$u['email_address']` all bound as parameters
+  - [ ] Unit test covers email address containing single quote
+  - [ ] PHPStan level 6 passes
+- **Dependencies**: none
+
+---
+
+### Issue #2: security(sql): parameterise rfilter RLIKE clause in list_urls()
+- **Priority**: high
+- **Labels**: [security, sql-injection, hardening]
+- **Branch**: `security/2-parameterise-rfilter-rlike`
+- **Evidence**: `webseer.php:744-749` — `'display_name RLIKE \'' . get_request_var('rfilter') . '\''`
+- **Acceptance criteria**:
+  - [ ] All five RLIKE comparisons use `db_fetch_assoc_prepared()` with bound `?` params
+  - [ ] Or `db_qstr()` wrapping applied as interim measure
+  - [ ] Regression test with a regex containing a single quote
+  - [ ] PHPStan passes
+- **Dependencies**: none
+
+---
+
+### Issue #3: security(sql): parameterise proxy filter LIKE clause in proxies()
+- **Priority**: high
+- **Labels**: [security, sql-injection, hardening]
+- **Branch**: `security/3-parameterise-proxy-filter`
+- **Evidence**: `webseer_proxies.php:255` — `' name LIKE "%' . get_request_var('filter') . '%" OR hostname LIKE ...'`
+- **Acceptance criteria**:
+  - [ ] Filter value bound via prepared statement parameter
+  - [ ] Test covers filter value with `%`, `_`, `'` characters
+- **Dependencies**: none
+
+---
+
+### Issue #4: security(sql): replace manual strip with prepared statement in remote.php SETMASTER
+- **Priority**: high
+- **Labels**: [security, sql-injection, hardening]
+- **Branch**: `security/4-setmaster-prepared`
+- **Evidence**: `remote.php:174-176` — `str_replace(array("'", '\\'), '', $_POST['ip'])` then `db_fetch_row("... WHERE ip = '$ip'")`
+- **Acceptance criteria**:
+  - [ ] `db_fetch_row_prepared('... WHERE ip = ?', [$ip])` replaces the concatenated query
+  - [ ] Manual `str_replace` sanitisation removed
+  - [ ] Test covers IP containing SQL metacharacters
+- **Dependencies**: none
+
+---
+
+### Issue #5: security(ssrf): implement UrlValidator and wire into cURL class
+- **Priority**: high
+- **Labels**: [security, ssrf, hardening]
+- **Branch**: `security/5-ssrf-url-validator`
+- **Evidence**: `classes/cURL.php:91,136` — `curl_init($url)` without host validation
+- **Acceptance criteria**:
+  - [ ] `src/Security/UrlValidator.php` validates scheme allowlist (http/https only)
+  - [ ] Blocks RFC-1918, loopback, link-local, AWS metadata ranges
+  - [ ] `cURL::get()` calls `UrlValidator::isAllowed()` before `curl_init()`; returns error result on rejection
+  - [ ] `cURL::post()` calls `UrlValidator::isAllowed()` before `curl_init()`
+  - [ ] All `->todo()` annotations in `SsrfTest.php` converted to passing tests
+  - [ ] PHPStan passes
+- **Dependencies**: `src/Security/UrlValidator.php` skeleton already present
+
+---
+
+### Issue #6: security(deserialization): replace unserialize with JSON in server sync
+- **Priority**: high
+- **Labels**: [security, deserialization, hardening]
+- **Branch**: `security/6-replace-unserialize-json`
+- **Evidence**: `includes/functions.php:75,107` — `unserialize(base64_decode($servers))` / `unserialize(base64_decode($urls))`
+- **Acceptance criteria**:
+  - [ ] `plugin_webseer_refresh_servers()` and `plugin_webseer_refresh_urls()` decode JSON instead of PHP serialised data
+  - [ ] `remote.php` GETSERVERS/GETURLS actions encode with `json_encode()` instead of `serialize()`
+  - [ ] If serialised format cannot be changed immediately, at minimum add `['allowed_classes' => false]` to both `unserialize()` calls
+  - [ ] Test covers malicious serialised object payload being rejected
+- **Dependencies**: #11 (remote.php hardening) for protocol change
+
+---
+
+### Issue #7: security(xss): escape URL in history and list view anchor tags
+- **Priority**: high
+- **Labels**: [security, xss, hardening]
+- **Branch**: `security/7-escape-url-anchor-tags`
+- **Evidence**: `webseer.php:651`, `webseer_servers.php:434` — `href='" . $row['url'] . "'"` without `html_escape()`
+- **Acceptance criteria**:
+  - [ ] Both `$row['url']` occurrences wrapped with `html_escape()`
+  - [ ] Scheme validated to be `http` or `https` before rendering as a clickable link; otherwise render as plain text
+  - [ ] Test covers URL with `javascript:` scheme and with `<script>` in value
+- **Dependencies**: none
+
+---
+
+### Issue #8: security(tls): enable TLS verification by default in cURL class
+- **Priority**: medium
+- **Labels**: [security, tls, hardening]
+- **Branch**: `security/8-tls-verify-default`
+- **Evidence**: `classes/cURL.php:192-198` — `CURLOPT_SSL_VERIFYPEER => FALSE` when `checkcert == ''`
+- **Acceptance criteria**:
+  - [ ] Default behaviour enables peer and host verification
+  - [ ] `CURLOPT_CAINFO` set to bundled `ca-bundle.crt`
+  - [ ] `checkcert` field inverted: empty = verify (default), explicit flag = skip
+  - [ ] Existing service checks that relied on skip-verify prompt admin on upgrade
+- **Dependencies**: none
+
+---
+
+### Issue #9: security(ssrf): add SSRF guard to remote.php inter-server POST targets
+- **Priority**: medium
+- **Labels**: [security, ssrf, hardening]
+- **Branch**: `security/9-remote-server-url-guard`
+- **Evidence**: `includes/functions.php:68,101,200,207` — `$cc->post($server['url'], ...)` where `$server['url']` is DB-stored
+- **Acceptance criteria**:
+  - [ ] Server URLs validated through `UrlValidator::isAllowed()` before each POST
+  - [ ] Invalid URL logs warning and skips that server
+- **Dependencies**: #5
+
+---
+
+### Issue #10: test(harness): bootstrap Pest 4 test harness
+- **Priority**: high
+- **Labels**: [test, infrastructure]
+- **Branch**: `test/10-pest4-bootstrap`
+- **Evidence**: no existing test suite
+- **Acceptance criteria**:
+  - [ ] `composer install` succeeds on PHP 8.4
+  - [ ] `vendor/bin/pest` runs and reports 0 failures on existing tests
+  - [ ] `pest.php` groups unit/integration/security directories
+  - [ ] CI workflow runs on push and PR
+- **Dependencies**: none
+
+---
+
+### Issue #11: ci(actions): GitHub Actions CI workflow
+- **Priority**: high
+- **Labels**: [ci, infrastructure]
+- **Branch**: `ci/11-github-actions`
+- **Evidence**: no CI workflow exists
+- **Acceptance criteria**:
+  - [ ] Workflow file at `.github/workflows/ci.yml`
+  - [ ] `actions/checkout` pinned to full SHA `11bd71901bbe5b1630ceea73d27597364c9af683`
+  - [ ] PHP 8.4, Pest with coverage min 80%, PHPStan
+  - [ ] Passes on clean checkout
+- **Dependencies**: #10
+
+---
+
+### Issue #12: refactor(seam): introduce Cacti global isolation seam
+- **Priority**: medium
+- **Labels**: [refactor, testability]
+- **Branch**: `refactor/12-cacti-isolation-seam`
+- **Evidence**: all PHP files call global Cacti functions directly — untestable without full Cacti bootstrap
+- **Acceptance criteria**:
+  - [ ] `src/Infrastructure/CactiDatabase.php` interface wrapping `db_execute_prepared`, `db_fetch_assoc_prepared`, etc.
+  - [ ] `tests/Helpers/CactiStubs.php` provides test doubles
+  - [ ] At least one production class uses the interface rather than calling globals directly
+- **Dependencies**: #10
+
+---
+
+### Issue #13: docs(security): add SECURITY.md with vulnerability disclosure process
+- **Priority**: medium
+- **Labels**: [docs, security]
+- **Branch**: `docs/13-security-md`
+- **Evidence**: no SECURITY.md exists
+- **Acceptance criteria**:
+  - [ ] SECURITY.md documents the Cacti Group private disclosure process
+  - [ ] References GitHub Security Advisories
+  - [ ] Lists supported versions
+- **Dependencies**: none
diff --git a/SECURITY-AUDIT.md b/SECURITY-AUDIT.md
new file mode 100644
index 0000000..1f54947
--- /dev/null
+++ b/SECURITY-AUDIT.md
@@ -0,0 +1,365 @@
+# plugin_webseer — Security Audit
+
+Audit date: 2026-03-09
+Auditor: principal-level static review + manual code inspection
+Scope: all PHP files in plugin root, includes/, classes/
+
+---
+
+## Summary
+
+| Severity | Count |
+|----------|-------|
+| Critical | 2 |
+| High     | 4 |
+| Medium   | 3 |
+| Low      | 2 |
+| **Total**| **11** |
+
+The most urgent issues are the unguarded SSRF vector (any authenticated admin
+can point the poller at internal infrastructure) and the SQL injection in
+`plugin_webseer_update_contacts()` which concatenates `email_address` from
+`user_auth` directly into a `db_execute()` call.
+
+---
+
+## All Findings
+
+### FIND-001
+- **Category**: SQL Injection
+- **Severity**: Critical
+- **Confidence**: High
+- **File**: `includes/functions.php`
+- **Lines**: 319–325
+- **Evidence**:
+  ```php
+  $cid = db_fetch_cell('SELECT id FROM plugin_webseer_contacts WHERE type="email" AND user_id=' . $u['id']);
+  if ($cid) {
+      db_execute("REPLACE INTO plugin_webseer_contacts (id, user_id, type, data) VALUES ($cid, " . $u['id'] . ", 'email', '" . $u['email_address'] . "')");
+  } else {
+      db_execute("REPLACE INTO plugin_webseer_contacts (user_id, type, data) VALUES (" . $u['id'] . ", 'email', '" . $u['email_address'] . "')");
+  }
+  ```
+- **Description**: `email_address` from `user_auth` is concatenated directly
+  into `db_execute()` without parameterisation. A user whose email contains a
+  single quote (e.g. `foo',(SELECT password FROM user_auth LIMIT 1),'x`) can
+  corrupt or exfiltrate data. The value is entirely user-controlled via the
+  Cacti user profile page.
+- **Exploitability**: Post-authentication; any user who can edit their own email
+  address. In Cacti's default configuration that includes non-admin users.
+- **Remediation**: Replace both `db_execute()` calls with
+  `db_execute_prepared()` using `?` placeholders for `$cid`, `$u['id']`, and
+  `$u['email_address']`.
+- **TDD Status**: Ready — seam is Cacti's `db_execute_prepared()` stub.
+
+---
+
+### FIND-002
+- **Category**: SSRF (Server-Side Request Forgery)
+- **Severity**: Critical
+- **Confidence**: High
+- **File**: `classes/cURL.php`
+- **Lines**: 86–123 (`post()`), 129–280 (`get()`)
+- **Evidence**:
+  ```php
+  $process = curl_init($url);
+  // ...
+  $process = curl_init($url);
+  ```
+- **Description**: The `cURL` class accepts any URL from `plugin_webseer_urls.url`
+  and fetches it without validating the host against private/internal IP ranges.
+  An authenticated admin can create a service check targeting
+  `http://169.254.169.254/latest/meta-data/` (AWS IMDS), internal APIs, or
+  other private services. Results are stored in `plugin_webseer_urls_log` and
+  displayed in the history view, making this a full read-SSRF.
+- **Exploitability**: Post-authentication (admin role). In multi-tenant Cacti
+  deployments, any realm that can manage service checks is sufficient.
+- **Remediation**: Validate the target URL through `UrlValidator::isAllowed()`
+  before calling `curl_init()`. Block RFC-1918, loopback, link-local, and
+  non-http(s) schemes. See `src/Security/UrlValidator.php`.
+- **TDD Status**: Seam required — `UrlValidator` class is in place; wire into
+  `cURL::get()` and `cURL::post()`.
+
+---
+
+### FIND-003
+- **Category**: Unsafe Deserialization
+- **Severity**: High
+- **Confidence**: High
+- **File**: `includes/functions.php`
+- **Lines**: 75, 107
+- **Evidence**:
+  ```php
+  $servers = unserialize(base64_decode($servers));
+  // ...
+  $urls = unserialize(base64_decode($urls));
+  ```
+- **Description**: Data returned from a remote webseer server over HTTP is
+  base64-decoded and then passed to `unserialize()` without
+  `['allowed_classes' => false]`. If the remote server is compromised or the
+  connection is intercepted (no TLS verification in `cURL::post()`), an
+  attacker can achieve remote code execution via PHP object injection.
+- **Exploitability**: Requires MITM or compromise of one webseer slave server.
+  Realistic in internal network environments where TLS is not enforced.
+- **Remediation**: Pass `['allowed_classes' => false]` as second argument to
+  both `unserialize()` calls. Better: switch the inter-server protocol to JSON.
+- **TDD Status**: Ready — stub `unserialize()` contract is documented in
+  `tests/Security/SsrfTest.php`.
+
+---
+
+### FIND-004
+- **Category**: SQL Injection (filter bypass)
+- **Severity**: High
+- **Confidence**: High
+- **File**: `webseer.php`
+- **Lines**: 744–749
+- **Evidence**:
+  ```php
+  $sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') .
+      'display_name RLIKE \'' . get_request_var('rfilter') . '\' OR ' .
+      'url RLIKE \'' . get_request_var('rfilter') . '\' OR ' .
+      'search RLIKE \'' . get_request_var('rfilter') . '\' OR ' .
+      'search_maint RLIKE \'' . get_request_var('rfilter') . '\' OR ' .
+      'search_failed RLIKE \'' . get_request_var('rfilter') . '\'';
+  ```
+- **Description**: `rfilter` is validated as a regex via
+  `FILTER_VALIDATE_IS_REGEX` in `webseer_request_validation()` (line 473), but
+  the validated value is still concatenated into a raw SQL RLIKE clause. A
+  regex that is also a SQL fragment (e.g. `' OR '1'='1`) can escape the RLIKE
+  context and alter query semantics.
+- **Exploitability**: Post-authentication. The regex validator reduces the
+  attack surface but does not eliminate it because the validated value is not
+  then parameterised.
+- **Remediation**: Use `db_fetch_assoc_prepared()` with `? RLIKE ?` binding for
+  each column, or apply `db_qstr()` to `rfilter` before concatenation.
+- **TDD Status**: Ready.
+
+---
+
+### FIND-005
+- **Category**: SQL Injection
+- **Severity**: High
+- **Confidence**: High
+- **File**: `webseer_proxies.php`
+- **Lines**: 255
+- **Evidence**:
+  ```php
+  $sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') .
+      ' name LIKE "%' . get_request_var('filter') . '%" OR hostname LIKE "%' .
+      get_request_var('filter') . '%"';
+  ```
+- **Description**: `filter` is taken from `get_request_var()` (no explicit
+  integer or regex validation shown for this field in `request_validation()`)
+  and concatenated directly into a LIKE clause. Single quotes, percent signs,
+  and backslashes are not escaped. This allows SQLi via the proxy search box.
+- **Exploitability**: Post-authentication.
+- **Remediation**: Replace with a prepared statement:
+  `WHERE name LIKE ? OR hostname LIKE ?` with `'%' . $filter . '%'` as bound
+  parameters. Alternatively wrap with `db_qstr()`.
+- **TDD Status**: Ready.
+
+---
+
+### FIND-006
+- **Category**: SQL Injection
+- **Severity**: High
+- **Confidence**: Medium
+- **File**: `remote.php`
+- **Lines**: 174–176
+- **Evidence**:
+  ```php
+  $ip = str_replace(array("'", '\\'), '', $_POST['ip']);
+  $row = db_fetch_row("SELECT * FROM plugin_webseer_servers WHERE ip = '$ip'");
+  ```
+- **Description**: The SETMASTER handler sanitises `$_POST['ip']` by stripping
+  single quotes and backslashes, then interpolates it directly into
+  `db_fetch_row()`. This manual sanitisation does not cover all SQL injection
+  vectors (e.g. MySQL comment syntax `/**/`, numeric injection). The correct
+  fix is parameterisation, not character stripping.
+- **Exploitability**: The handler is only reached when `$remoteip` matches a
+  known server in `plugin_webseer_servers` (line 46), limiting exposure to
+  requests originating from registered slave servers.
+- **Remediation**: Replace with
+  `db_fetch_row_prepared('SELECT * FROM plugin_webseer_servers WHERE ip = ?', [$ip])`
+  and remove the manual strip.
+- **TDD Status**: Ready.
+
+---
+
+### FIND-007
+- **Category**: XSS (Stored)
+- **Severity**: Medium
+- **Confidence**: High
+- **File**: `webseer_servers.php`
+- **Lines**: 434
+- **Evidence**:
+  ```php
+  form_selectable_cell("<a class='linkEditMain' href='" . $row['url'] . "' target=_new><b>" . $row['url'] . '</b></a>', $row['id']);
+  ```
+- **Description**: `$row['url']` from `plugin_webseer_servers_log` is
+  interpolated into an anchor `href` and anchor text without `html_escape()`.
+  A URL containing `javascript:alert(1)` or a double-quote breaking out of the
+  href attribute would execute arbitrary JavaScript when an admin views server
+  history.
+- **Exploitability**: Post-authentication. URL value is admin-entered, but a
+  compromised slave server could inject it via the HOSTDOWN/ADDSERVER remote
+  actions.
+- **Remediation**: Wrap both occurrences of `$row['url']` with `html_escape()`.
+  Additionally validate that the scheme is `http` or `https` before rendering
+  as a link.
+- **TDD Status**: Ready.
+
+---
+
+### FIND-008
+- **Category**: XSS (Stored)
+- **Severity**: Medium
+- **Confidence**: High
+- **File**: `webseer.php`
+- **Lines**: 651
+- **Evidence**:
+  ```php
+  form_selectable_cell("<a class='linkEditMain' href='" . $row['url'] . "' target=_new>" . $row['url'] . '</a>', $row['id']);
+  ```
+- **Description**: Same pattern as FIND-007 in the URL check history view.
+  `$row['url']` from `plugin_webseer_urls_log` is not escaped in either the
+  href or the link text.
+- **Exploitability**: Same as FIND-007.
+- **Remediation**: Wrap with `html_escape()` in both positions.
+- **TDD Status**: Ready.
+
+---
+
+### FIND-009
+- **Category**: Missing TLS verification
+- **Severity**: Medium
+- **Confidence**: High
+- **File**: `classes/cURL.php`
+- **Lines**: 192–198
+- **Evidence**:
+  ```php
+  if ($this->host['checkcert'] == '') {
+      $cert_opts = array(
+          CURLOPT_SSL_VERIFYPEER => FALSE,
+          CURLOPT_SSL_VERIFYHOST => FALSE,
+      );
+  }
+  ```
+- **Description**: When `checkcert` is empty (the default for new service
+  checks), TLS certificate validation is disabled. Combined with FIND-003
+  (unsafe unserialize) this means inter-server communication happens over
+  unverified TLS, enabling MITM attacks that could deliver malicious
+  serialised payloads.
+- **Exploitability**: Network-adjacent attacker who can intercept traffic
+  between webseer nodes.
+- **Remediation**: Flip the default: enable `CURLOPT_SSL_VERIFYPEER` and
+  `CURLOPT_SSL_VERIFYHOST` by default; only disable when `checkcert` is
+  explicitly set to a bypass flag. The bundled `ca-bundle.crt` should be
+  used via `CURLOPT_CAINFO`.
+- **TDD Status**: Ready.
+
+---
+
+### FIND-010
+- **Category**: Information Disclosure
+- **Severity**: Low
+- **Confidence**: Medium
+- **File**: `remote.php`
+- **Lines**: 183–191
+- **Evidence**:
+  ```php
+  case 'GETSERVERS':
+      print 'SERVERS=' . base64_encode(serialize($servers));
+      break;
+  case 'GETURLS':
+      $urls = db_fetch_assoc('SELECT * FROM plugin_webseer_urls');
+      // ...
+      print 'URLS=' . base64_encode(serialize($urls));
+  ```
+- **Description**: `remote.php` is loaded via `cli_check.php` which blocks web
+  access (defines `CACTI_CLI_ONLY`). However `remote.php` begins with
+  `chdir('../../'); require_once('./include/cli_check.php')` — if this file
+  is web-accessible in some installations it would expose all server and URL
+  data to any IP that is already registered in `plugin_webseer_servers`.
+- **Exploitability**: Low — gated behind IP check on line 46. Risk is higher
+  if `cli_check.php` does not reliably block HTTP access in all deployment
+  configurations.
+- **Remediation**: Confirm `cli_check.php` blocks web access, or add an
+  explicit `CACTI_CLI_ONLY` guard at the top of `remote.php`.
+- **TDD Status**: Seam required — needs integration test with a mock HTTP
+  context.
+
+---
+
+### FIND-011
+- **Category**: Missing auth check on remote.php actions
+- **Severity**: Low
+- **Confidence**: Medium
+- **File**: `remote.php`
+- **Lines**: 41–194
+- **Evidence**:
+  ```php
+  $servers = db_fetch_assoc('SELECT * FROM plugin_webseer_servers');
+  foreach ($servers as $server) {
+      if ($server['ip'] == $remoteip) {
+          $action = get_nfilter_request_var('action', '');
+          switch ($action) { ... }
+  ```
+- **Description**: The only authentication is an IP address match against the
+  `plugin_webseer_servers` table. There is no token, HMAC, or session check.
+  An attacker who can spoof their source IP (e.g. from within the same /24) or
+  who can register their IP as a server can perform all remote actions including
+  TRUNCATE-equivalent operations (DELETEURL/DELETESERVER).
+- **Exploitability**: Requires either IP spoofing or adding a rogue server
+  record to the database — both post-compromise scenarios.
+- **Remediation**: Add a shared-secret HMAC header verified on each request, or
+  move to mutual TLS between webseer nodes.
+- **TDD Status**: Seam required.
+
+---
+
+## Unknowns
+
+- `webseer_process.php` was not present in the repository at audit time.
+  It is launched via `exec_background()` in `poller_webseer.php` and handles
+  the actual HTTP checks. Any security issues in that file are out of scope for
+  this audit.
+- The `mxlookup` class was not fully reviewed. DNS lookup results in
+  `plugin_webseer_check_dns()` are stored in `$results['data']` and may be
+  displayed; verify escaping at render time.
+
+## Blind Spots
+
+- Dynamic SQL via `get_order_string()` — this Cacti core function sanitises
+  `sort_column` and `sort_direction` but its implementation was not inspected.
+  If it does not validate against a column allowlist the ORDER BY clauses in
+  `list_urls()`, `list_servers()`, and history views are injection points.
+- The `sanitize_unserialize_selected_items()` Cacti core function is used
+  throughout. Its implementation was not audited here.
+
+## Seams Needed Before Full TDD
+
+1. Extract `UrlValidator::isInternalHost()` and wire it into `cURL::get()` —
+   skeleton is at `src/Security/UrlValidator.php`.
+2. Extract the `db_execute()` call sites in `plugin_webseer_update_contacts()`
+   into a `ContactRepository` class that accepts `db_execute_prepared` as a
+   collaborator.
+3. Replace `unserialize()` in `plugin_webseer_refresh_servers()` and
+   `plugin_webseer_refresh_urls()` with JSON decode, then the seam is trivial.
+
+## Estimated Effort
+
+| Work item | Estimate |
+|-----------|----------|
+| FIND-001 SQL injection fix | 30 min |
+| FIND-002 SSRF guard (wire UrlValidator) | 2 h |
+| FIND-003 unsafe unserialize | 1 h |
+| FIND-004 rfilter parameterisation | 30 min |
+| FIND-005 proxy filter parameterisation | 30 min |
+| FIND-006 SETMASTER parameterisation | 15 min |
+| FIND-007/008 XSS in URL cells | 30 min |
+| FIND-009 TLS default flip | 30 min |
+| FIND-010/011 remote.php hardening | 3 h |
+| Test harness bootstrap (Pest 4) | 1 h |
+| **Total** | **~10 h** |
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..8228fe0
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,27 @@
+# Security Policy
+
+## Supported Versions
+
+This plugin follows the Cacti project's support policy. Security fixes are
+applied to the current development branch and backported per project policy.
+
+## Reporting a Vulnerability
+
+Report security vulnerabilities via the Cacti project's private security
+disclosure process:
+
+- GitHub Security Advisories: https://github.com/Cacti/plugin_webseer/security/advisories
+- Do NOT open public issues for security vulnerabilities.
+
+Please include:
+- Description of the vulnerability
+- Steps to reproduce
+- Affected versions
+- Suggested remediation (if known)
+
+A maintainer will acknowledge the report within 72 hours and provide a
+remediation timeline.
+
+## Security Hardening Notes
+
+See SECURITY-AUDIT.md for the current known finding backlog and remediation status.
diff --git a/classes/cURL.php b/classes/cURL.php
index d263e71..ddb1878 100644
--- a/classes/cURL.php
+++ b/classes/cURL.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
@@ -83,7 +85,7 @@ function cookie($cookie_file) {
 		}
 	}
 
-	function post($url, $data = array()) {
+	function post($url, $data = []) {
 		global $httpcompressions;
 
 		$this->debug('Executing Post Request');
@@ -91,14 +93,14 @@ function post($url, $data = array()) {
 		$process = curl_init($url);
 		$this->headers[] = 'Content-type: application/x-www-form-urlencoded;charset=UTF-8';
 
-		$d = array();
+		$d = [];
 		foreach ($data as $i => $j) {
 			$d[] = "$i=$j";
 		}
 
 		$data = implode('&', $d);
 
-		$options = array(
+		$options = [
 			CURLOPT_HTTPHEADER => $this->headers,
 			CURLOPT_HEADER => true,
 			CURLOPT_USERAGENT => $this->user_agent,
@@ -107,7 +109,7 @@ function post($url, $data = array()) {
 			CURLOPT_RETURNTRANSFER => true,
 			CURLOPT_FOLLOWLOCATION => true,
 			CURLOPT_POST => true,
-		);
+		];
 
 		if (!empty($this->compression)) {
 			$options[CURLOPT_ENCODING] = $httpcompressions[$this->compression];
@@ -175,38 +177,38 @@ function get() {
 
 			$is_https = (substr(strtolower($url), 0, 5) == 'https');
 
-			$proxy_opts = array(
+			$proxy_opts = [
 				CURLOPT_UNRESTRICTED_AUTH => true,
 				CURLOPT_PROXY             => $this->proxy_hostname,
 				CURLOPT_PROXYPORT         => $is_https ? $port_https : $port_http,
-			);
+			];
 
 			if ($this->proxy_username != '') {
 				$proxy_opts[CURLOPT_PROXYUSERPWD] = $this->proxy_username . ':' . $this->proxy_password;
 			}
 		} else {
-			$proxy_opts = array();
+			$proxy_opts = [];
 		}
 
 		// Disable Cert checking for now
 		if ($this->host['checkcert'] == '') {
-			$cert_opts = array(
+			$cert_opts = [
 				CURLOPT_SSL_VERIFYPEER => FALSE,
 				CURLOPT_SSL_VERIFYHOST => FALSE,
-			);
+			];
 		} else {
-			$cert_opts = array();
+			$cert_opts = [];
 		}
 
 		$options += $proxy_opts;
 		$options += $cert_opts;
 
 		$this->debug('cURL options: ' . clean_up_lines(var_export($options, true)));
-		curl_setopt_array($process,$options);
+		curl_setopt_array($process, $options);
 
 		$data = curl_exec($process);
 
-		$this->data = str_replace(array("'", "\\"), array(''), $data);
+		$this->data = str_replace(["'", "\\"], [''], $data);
 
 		$this->results['options'] = curl_getinfo($process);
 		$this->results['options']['compression'] = $this->compression;
@@ -222,7 +224,7 @@ function get() {
 			case 0:
 				break;
 			default:
-				$this->results['error'] = 'HTTP ERROR: ' . str_replace(array('"', "'"), '', (curl_error($process)));
+				$this->results['error'] = 'HTTP ERROR: ' . str_replace(['"', "'"], '', (curl_error($process)));
 
 				break;
 		}
diff --git a/classes/index.php b/classes/index.php
index 9a6d459..596a8fb 100644
--- a/classes/index.php
+++ b/classes/index.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
diff --git a/classes/mxlookup.php b/classes/mxlookup.php
index 52182b3..ae88001 100644
--- a/classes/mxlookup.php
+++ b/classes/mxlookup.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
@@ -28,7 +30,7 @@ class mxlookup {
 	var $dns_packet = NULL;
 	var $ANCOUNT    = 0;
 	var $cIx        = 0;
-	var $arrMX      = array();
+	var $arrMX      = [];
 	var $dns_repl_domain;
 
 	function __construct($domain, $dns = '4.2.2.1') {
@@ -67,7 +69,7 @@ function __construct($domain, $dns = '4.2.2.1') {
 
 			//$mxPref = ord($this->gdi($this->cIx));
 			//$this->parse_data($curmx);
-			//$this->arrMX[] = array('MX_Pref' => $mxPref, 'MX' => $curmx);
+			//$this->arrMX[] = ['MX_Pref' => $mxPref, 'MX' => $curmx];
 			//$this->cIx += 3;
 		}
 	}
@@ -77,7 +79,7 @@ function __destruct() {
 	}
 
 	function parse_data(&$retval) {
-		$arName = array();
+		$arName = [];
 		$byte   = ord($this->gdi($this->cIx));
 
 		while($byte !== 0) {
diff --git a/images/index.php b/images/index.php
index a16f0e6..52af78f 100644
--- a/images/index.php
+++ b/images/index.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
diff --git a/includes/arrays.php b/includes/arrays.php
index ce451fd..7f59729 100644
--- a/includes/arrays.php
+++ b/includes/arrays.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
@@ -74,7 +76,7 @@
 	505 => 'HTTP Version Not Supported',
 );
 
-$httpcompressions = array(
+$httpcompressions = [
 	0  => '',
 	1  => 'aes128gcm',
 	2  => 'br',
@@ -87,7 +89,7 @@
 	9  => 'x-compress',
 	10 => 'x-gzip',
 	11 => 'zstd',
-);
+];
 
 $webseer_minutes = array(
 	1  => __('%d Minute', 1, 'webseer'),
@@ -113,10 +115,10 @@
 	10 => __('%d Seconds', 10, 'webseer'),
 );
 
-$webseer_notify_formats = array(
+$webseer_notify_formats = [
 	WEBSEER_FORMAT_HTML  => 'html',
 	WEBSEER_FORMAT_PLAIN => 'plain',
-);
+];
 
 if (db_table_exists('plugin_webseer_contacts')) {
 	$webseer_contact_users = db_fetch_assoc("SELECT pwc.id, pwc.data, pwc.type, ua.full_name
@@ -125,10 +127,10 @@
 		ON ua.id=pwc.user_id
 		WHERE pwc.data != ''");
 } else {
-	$webseer_contact_users = array();
+	$webseer_contact_users = [];
 }
 
-$webseer_notify_accounts = array();
+$webseer_notify_accounts = [];
 if (!empty($webseer_contact_users)) {
 	foreach ($webseer_contact_users as $webseer_contact_user) {
 		$webseer_notify_accounts[$webseer_contact_user['id']] = $webseer_contact_user['full_name'] . ' - ' . ucfirst($webseer_contact_user['type']);
@@ -211,14 +213,14 @@
 		'size' => '40',
 		'default' => ''
 	),
-	'id' => array(
+	'id' => [
 		'method' => 'hidden_zero',
 		'value' => '|arg1:id|'
-	),
-	'save_component_proxy' => array(
+	],
+	'save_component_proxy' => [
 		'method' => 'hidden',
 		'value' => '1'
-	)
+	]
 );
 
 $webseer_server_fields = array(
@@ -275,10 +277,10 @@
 		'value' => '|arg1:location|',
 		'max_length' => '256',
 	),
-	'id' => array(
+	'id' => [
 		'method' => 'hidden_zero',
 		'value' => '|arg1:id|'
-	),
+	],
 );
 
 $webseer_url_fields = array(
@@ -433,8 +435,8 @@
 		'description' => __('You may specify here extra Emails to receive alerts for this URL (comma separated)', 'webseer'),
 		'value' => '|arg1:notify_extra|',
 	),
-	'id' => array(
+	'id' => [
 		'method' => 'hidden_zero',
 		'value' => '|arg1:id|'
-	),
+	],
 );
diff --git a/includes/constants.php b/includes/constants.php
index aa99487..0788041 100644
--- a/includes/constants.php
+++ b/includes/constants.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
diff --git a/includes/functions.php b/includes/functions.php
index f8dd2ed..5ae22a5 100644
--- a/includes/functions.php
+++ b/includes/functions.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
@@ -63,7 +65,7 @@ function plugin_webseer_refresh_servers() {
 	$server['debug_type'] = 'Server';
 
 	$cc              = new cURL(true, 'cookies.txt', 'gzip', '', $server);
-	$data            = array();
+	$data            = [];
 	$data['action']  = 'GETSERVERS';
 	$results         = $cc->post($server['url'], $data);
 
@@ -78,9 +80,9 @@ function plugin_webseer_refresh_servers() {
 				foreach ($servers as $save) {
 					db_execute_prepared('REPLACE INTO plugin_webseer_servers (id, enabled, master, name, url, ip, location)
 						VALUES (?,?,?,?,?,?,?)',
-						array(
+						[
 							$save['id'], $save['enabled'], $save['master'], $save['name'], $save['url'], $save['ip'] , $save['location']
-						)
+						]
 					);
 				}
 			}
@@ -96,7 +98,7 @@ function plugin_webseer_refresh_urls () {
 	$server['debug_type'] = 'Server';
 
 	$cc             = new cURL(true, 'cookies.txt', 'gzip', '', $server);
-	$data           = array();
+	$data           = [];
 	$data['action'] = 'GETURLS';
 	$results        = $cc->post($server['url'], $data);
 	$results        = explode("\n", $results);
@@ -113,12 +115,12 @@ function plugin_webseer_refresh_urls () {
 					db_execute_prepared('REPLACE INTO plugin_webseer_urls
 						(id, enabled, requiresauth, checkcert, ip, display_name, notify_list, notify_accounts, url, search, search_maint, search_failed, notify_extra, downtrigger)
 						VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)',
-						array(
+						[
 							$save['id'], $save['enabled'], $save['requiresauth'], $save['checkcert'],
 							$save['ip'], $save['display_name'], $save['notify_list'], $save['notify_accounts'],
 							$save['url'], $save['search'], $save['search_maint'],
 							$save['search_failed'], $save['notify_extra'], $save['downtrigger']
-						)
+						]
 					);
 				}
 			}
@@ -131,7 +133,7 @@ function plugin_webseer_refresh_urls () {
 function plugin_webseer_remove_old_users () {
 	$users = db_fetch_assoc('SELECT id FROM user_auth');
 
-	$u = array();
+	$u = [];
 
 	foreach ($users as $user) {
 		$u[] = $user['id'];
@@ -141,7 +143,7 @@ function plugin_webseer_remove_old_users () {
 
 	foreach ($contacts as $c) {
 		if (!in_array($c['user_id'], $u)) {
-			db_execute_prepared('DELETE FROM plugin_webseer_contacts WHERE user_id = ?', array($c['user_id']));
+			db_execute_prepared('DELETE FROM plugin_webseer_contacts WHERE user_id = ?', [$c['user_id']]);
 		}
 	}
 }
@@ -150,7 +152,7 @@ function plugin_webseer_check_dns ($host) {
 	$results = false;
 
 	if (cacti_sizeof($host)) {
-		$results = array();
+		$results = [];
 		$results['result']                     = 0;
 		$results['options']['http_code']       = 0;
 		$results['error']                      = '';
@@ -189,12 +191,12 @@ function plugin_webseer_set_remote_masters ($ip) {
 	}
 
 	db_execute('UPDATE plugin_webseer_servers set master = 0');
-	db_execute_prepared('UPDATE plugin_webseer_servers set master = 1 WHERE ip = ?', array($ip));
+	db_execute_prepared('UPDATE plugin_webseer_servers set master = 1 WHERE ip = ?', [$ip]);
 }
 
 function plugin_webseer_set_remote_master ($url, $ip) {
 	$cc             = new cURL(true, 'cookies.txt', 'gzip', '', $url);
-	$data           = array();
+	$data           = [];
 	$data['action'] = 'SETMASTER';
 	$data['ip']     = $ip;
 	$results        = $cc->post($url['url'], $data);
@@ -205,7 +207,7 @@ function plugin_webseer_enable_remote_hosts ($id, $value = true) {
 
 	foreach ($servers as $server) {
 		$cc             = new cURL(true, 'cookies.txt', 'gzip', '', $server);
-		$data           = array();
+		$data           = [];
 		$data['action'] = ($value ? 'ENABLEURL' : 'DISABLEURL');
 		$data['id']     = $id;
 		$results        = $cc->post($server['url'], $data);
@@ -217,7 +219,7 @@ function plugin_webseer_delete_remote_hosts ($id) {
 
 	foreach ($servers as $server) {
 		$cc             = new cURL(true, 'cookies.txt', 'gzip', '', $server);
-		$data           = array();
+		$data           = [];
 		$data['action'] = 'DELETEURL';
 		$data['id']     = $id;
 		$results        = $cc->post($server['url'], $data);
@@ -281,7 +283,7 @@ function plugin_webseer_enable_remote_server ($id, $value = true) {
 		$server['debug_type'] = 'Server';
 
 		$cc             = new cURL(true, 'cookies.txt', 'gzip', '', $server);
-		$data           = array();
+		$data           = [];
 		$data['action'] = ($value ? 'ENABLESERVER' : 'DISABLESERVER');
 		$data['id']     = $id;
 		$results        = $cc->post($server['url'], $data);
@@ -295,7 +297,7 @@ function plugin_webseer_delete_remote_server ($id) {
 		$server['debug_type'] = 'Server';
 
 		$cc             = new cURL(true, 'cookies.txt', 'gzip', '', $server);
-		$data           = array();
+		$data           = [];
 		$data['action'] = 'DELETESERVER';
 		$data['id']     = $id;
 		$results        = $cc->post($server['url'], $data);
@@ -337,7 +339,7 @@ function plugin_webseer_check_debug() {
 	}
 }
 
-function plugin_webseer_debug($message='', $host=array()) {
+function plugin_webseer_debug($message='', $host=[]) {
 	global $debug;
 	if ($debug) {
 		$prefix = (empty($host['id']) && empty($host['debug_type'])) ? '' : '[';
diff --git a/includes/index.php b/includes/index.php
index a16f0e6..52af78f 100644
--- a/includes/index.php
+++ b/includes/index.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
diff --git a/index.php b/index.php
index a16f0e6..52af78f 100644
--- a/index.php
+++ b/index.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
diff --git a/infection.json b/infection.json
new file mode 100644
index 0000000..226dbce
--- /dev/null
+++ b/infection.json
@@ -0,0 +1,13 @@
+{
+    "$schema": "https://raw.githubusercontent.com/infection/infection/master/resources/schema.json",
+    "source": {
+        "directories": ["src"]
+    },
+    "mutators": {
+        "@default": true
+    },
+    "minMsi": 60,
+    "minCoveredMsi": 80,
+    "testFramework": "pest",
+    "testFrameworkOptions": "--group=unit"
+}
diff --git a/locales/LC_MESSAGES/index.php b/locales/LC_MESSAGES/index.php
index a16f0e6..52af78f 100644
--- a/locales/LC_MESSAGES/index.php
+++ b/locales/LC_MESSAGES/index.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
diff --git a/locales/index.php b/locales/index.php
index a16f0e6..52af78f 100644
--- a/locales/index.php
+++ b/locales/index.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
diff --git a/locales/po/index.php b/locales/po/index.php
index a16f0e6..52af78f 100644
--- a/locales/po/index.php
+++ b/locales/po/index.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
diff --git a/phpstan.neon b/phpstan.neon
new file mode 100644
index 0000000..fc6f54a
--- /dev/null
+++ b/phpstan.neon
@@ -0,0 +1,13 @@
+includes:
+    - vendor/phpstan/phpstan-strict-rules/rules.neon
+    - vendor/ergebnis/phpstan-rules/rules.neon
+
+parameters:
+    level: 6
+    paths:
+        - src
+        - tests
+    phpVersion: 80400
+    checkGenericClassInNonGenericObjectType: true
+    checkMissingIterableValueType: true
+    treatPhpDocTypesAsCertain: false
diff --git a/phpunit.xml b/phpunit.xml
new file mode 100644
index 0000000..752e1e5
--- /dev/null
+++ b/phpunit.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:noNamespaceSchemaLocation="vendor/phpunit/phpunit/phpunit.xsd"
+         bootstrap="tests/Helpers/GlobalStubs.php"
+         colors="true">
+    <testsuites>
+        <testsuite name="Tests">
+            <directory>tests</directory>
+        </testsuite>
+    </testsuites>
+</phpunit>
diff --git a/poller_webseer.php b/poller_webseer.php
index 2efc9fc..7842311 100644
--- a/poller_webseer.php
+++ b/poller_webseer.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
@@ -98,7 +100,7 @@
 if ($poller_id == 1) {
 	db_execute_prepared('DELETE FROM plugin_webseer_urls_log
 		WHERE lastcheck < FROM_UNIXTIME(?)',
-		array($t));
+		[$t]);
 
 	db_execute_prepared('DELETE FROM plugin_webseer_processes
 		WHERE time < FROM_UNIXTIME(?)',
@@ -109,7 +111,7 @@
 	FROM plugin_webseer_urls
 	WHERE enabled = "on"
 	AND poller_id = ?',
-	array($poller_id));
+	[$poller_id]);
 
 $max = 12;
 
@@ -118,7 +120,7 @@
 		$total = db_fetch_cell_prepared('SELECT COUNT(id)
 			FROM plugin_webseer_processes
 			WHERE poller_id = ?',
-			array($poller_id));
+			[$poller_id]);
 
 		if ($max - $total > 0) {
 			$url['debug_type'] = 'Url';
@@ -150,7 +152,7 @@
 	$running = db_fetch_cell_prepared('SELECT COUNT(*)
 		FROM plugin_webseer_processes
 		WHERE poller_id = ?',
-		array($poller_id));
+		[$poller_id]);
 
 	if ($running == 0) {
 		break;
@@ -190,15 +192,15 @@ function plugin_webseer_register_server() {
 	$found = db_fetch_cell_prepared('SELECT id
 		FROM plugin_webseer_servers
 		WHERE ip = ?',
-		array($ipaddress));
+		[$ipaddress]);
 
 	if (!$found) {
-		$found = array();
+		$found = [];
 		$found['debug_type'] = 'Server';
 
 		plugin_webseer_debug('Registering Server ' . $ipaddress, $found);
 
-		$save = array();
+		$save = [];
 		$save['enabled']   = 'on';
 		$save['isme']      = 1;
 		$save['lastcheck'] = $lastcheck;
@@ -238,9 +240,9 @@ function plugin_webseer_update_servers() {
 		foreach ($servers as $server) {
 			$server['debug_type'] = 'Server';
 
-			$cc = new cURL(true, 'cookies.txt', $server['compression'], '', $server);;
+			$cc = new cURL(true, 'cookies.txt', $server['compression'], '', $server);
 
-			$data = array();
+			$data = [];
 			$data['action'] = 'HEARTBEAT';
 			$results = $cc->post($server['url'], $data);
 		}
diff --git a/remote.php b/remote.php
index ab3aff6..c7263c0 100644
--- a/remote.php
+++ b/remote.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
@@ -40,7 +42,7 @@
 
 $servers = db_fetch_assoc('SELECT * FROM plugin_webseer_servers');
 
-$s = array();
+$s = [];
 
 foreach ($servers as $server) {
 	if ($server['ip'] == $remoteip) {
@@ -114,12 +116,12 @@
 							(id, enabled, requiresauth, proxy_server, checkcert, ip, display_name, notify_list, notify_accounts,
 							url, search, search_maint, search_failed, notify_extra, downtrigger)
 							VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)',
-							array(
+							[
 								$save['id'], $save['enabled'], $save['requiresauth'], $save['proxy_server'],
 								$save['checkcert'], $save['ip'], $save['display_name'], $save['notify_list'],
 								$save['notify_accounts'], $save['url'], $save['search'], $save['search_maint'],
 								$save['search_failed'], $save['notify_extra'], $save['downtrigger']
-							)
+							]
 						);
 					}
 				}
@@ -153,10 +155,10 @@
 						db_execute_prepared('REPLACE INTO plugin_webseer_servers
 							(id, enabled, master, name, url, ip, location)
 							VALUES (?,?,?,?,?,?,?)',
-							array(
+							[
 								$save['id'], $save['enabled'], $save['master'],
 								$save['name'], $save['url'], $save['ip'], $save['location']
-							)
+							]
 						);
 					}
 				}
@@ -165,17 +167,17 @@
 			case 'DELETEURL':
 				if (isset($_POST['id'])) {
 					$id = intval(get_filter_request_var('id'));
-					db_execute_prepared('DELETE FROM plugin_webseer_urls WHERE id = ?', array($id));
-					db_execute_prepared('DELETE FROM plugin_webseer_urls_log WHERE url_id = ?', array($id));
+					db_execute_prepared('DELETE FROM plugin_webseer_urls WHERE id = ?', [$id]);
+					db_execute_prepared('DELETE FROM plugin_webseer_urls_log WHERE url_id = ?', [$id]);
 				}
 				break;
 			case 'SETMASTER':
 				if (isset($_POST['ip'])) {
-					$ip = str_replace(array("'", '\\'), '', $_POST['ip']);
-					$row = db_fetch_row("SELECT * FROM plugin_webseer_servers WHERE ip = '$ip'");
+					$ip  = $_POST['ip'];
+					$row = db_fetch_row_prepared('SELECT * FROM plugin_webseer_servers WHERE ip = ?', [$ip]);
 					if (isset($row['id'])) {
 						db_execute('UPDATE plugin_webseer_servers set master = 0');
-						db_execute_prepared('UPDATE plugin_webseer_servers set master = 1 WHERE ip = ?', array($ip));
+						db_execute_prepared('UPDATE plugin_webseer_servers set master = 1 WHERE ip = ?', [$ip]);
 					}
 				}
 				break;
diff --git a/setup.php b/setup.php
index df042f4..6218468 100644
--- a/setup.php
+++ b/setup.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
@@ -124,24 +126,24 @@ function plugin_webseer_upgrade() {
 		db_execute_prepared('UPDATE plugin_config
 			SET version = ?
 			WHERE directory = "webseer"',
-			array($new));
+			[$new]);
 
 		db_execute_prepared("UPDATE plugin_config SET
 			version = ?, name = ?, author = ?, webpage = ?
 			WHERE directory = ?",
-			array(
+			[
 				$info['version'],
 				$info['longname'],
 				$info['author'],
 				$info['homepage'],
 				$info['name']
-			)
+			]
 		);
 
 		db_execute_prepared('UPDATE plugin_realms
 			SET file = ?
 			WHERE file LIKE "%webseer.php%"',
-			array('webseer.php,webseer_servers.php,webseer_proxies.php'));
+			['webseer.php,webseer_servers.php,webseer_proxies.php']);
 
 		api_plugin_register_hook('webseer', 'replicate_out', 'webseer_replicate_out', 'setup.php', '1');
 	}
@@ -321,7 +323,7 @@ function plugin_webseer_config_arrays() {
 
 	$menu[__('Management')]['plugins/webseer/webseer.php'] = __('Service Checks', 'webseer');
 
-	$files = array('index.php', 'plugins.php', 'webseer.php');
+	$files = ['index.php', 'plugins.php', 'webseer.php'];
 	if (in_array(get_current_page(), $files)) {
 		plugin_webseer_check_config();
 	}
@@ -401,12 +403,12 @@ function webseer_replicate_out($data) {
 
 	cacti_log('INFO: Replicating for the WebSeer Plugin', false, 'REPLICATE');
 
-	$tables = array(
+	$tables = [
 		'plugin_webseer_contacts',
 		'plugin_webseer_proxies',
 		'plugin_webseer_servers',
 		'plugin_webseer_urls'
-	);
+	];
 
 	if ($class == 'all') {
 		foreach($tables as $table) {
diff --git a/src/Security/UrlValidator.php b/src/Security/UrlValidator.php
new file mode 100644
index 0000000..6b5c33a
--- /dev/null
+++ b/src/Security/UrlValidator.php
@@ -0,0 +1,200 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PluginWebseer\Security;
+
+/**
+ * Guards against SSRF by classifying URLs before the cURL class fetches them.
+ *
+ * The existing code in includes/functions.php and classes/cURL.php accepts any
+ * URL stored in plugin_webseer_urls.url without host-range validation. An
+ * authenticated admin can therefore target internal infrastructure.
+ *
+ * This class provides the seam needed for TDD — tests import isInternalHost()
+ * via the ->todo() annotations until the legacy code is wired to call it.
+ */
+final class UrlValidator
+{
+    private const ALLOWED_SCHEMES = ['http', 'https'];
+
+    /**
+     * RFC-1918 and link-local blocks that must never be checked by the poller.
+     * Expressed as [network_long, mask_long] pairs for fast integer comparison.
+     *
+     * @var list<array{int, int}>
+     */
+    private const PRIVATE_RANGES = [
+        [0x0A000000, 0xFF000000], // 10.0.0.0/8
+        [0xAC100000, 0xFFF00000], // 172.16.0.0/12
+        [0xC0A80000, 0xFFFF0000], // 192.168.0.0/16
+        [0x7F000000, 0xFF000000], // 127.0.0.0/8  (loopback)
+        [0xA9FE0000, 0xFFFF0000], // 169.254.0.0/16 (link-local / AWS metadata)
+        [0x00000000, 0xFF000000], // 0.0.0.0/8
+    ];
+
+    public function isAllowed(string $url): bool
+    {
+        $scheme = parse_url($url, PHP_URL_SCHEME);
+        if (!is_string($scheme) || !in_array(strtolower($scheme), self::ALLOWED_SCHEMES, true)) {
+            return false;
+        }
+
+        $host = parse_url($url, PHP_URL_HOST);
+        if (!is_string($host) || $host === '') {
+            return false;
+        }
+
+        // Strip IPv6 brackets.
+        $host = ltrim(rtrim($host, ']'), '[');
+
+        return !$this->isInternalHost($host);
+    }
+
+    /**
+     * Returns true if $host resolves to or IS a private/loopback address.
+     * Intentionally conservative: resolution failures are treated as internal.
+     */
+    public function isInternalHost(string $host): bool
+    {
+        if ($host === '' || $host === 'localhost') {
+            return true;
+        }
+
+        // Direct IPv4 literal.
+        $ipv4 = filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4);
+        if ($ipv4 !== false) {
+            return $this->isInternalIPv4($ipv4);
+        }
+
+        // Direct IPv6 literal (normalize via inet_pton).
+        $ipv6 = filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6);
+        if ($ipv6 !== false) {
+            return $this->isInternalIPv6($ipv6);
+        }
+
+        // Hostname: resolve both A and AAAA records.
+        $addresses = $this->resolveHost($host);
+        if (empty($addresses)) {
+            // Resolution failed; block to be safe.
+            return true;
+        }
+
+        foreach ($addresses as $addr) {
+            if (filter_var($addr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) !== false) {
+                if ($this->isInternalIPv4($addr)) {
+                    return true;
+                }
+            } elseif (filter_var($addr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) !== false) {
+                if ($this->isInternalIPv6($addr)) {
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * @return list<string>
+     */
+    private function resolveHost(string $host): array
+    {
+        $addresses = [];
+
+        $a = @dns_get_record($host, DNS_A);
+        if (is_array($a)) {
+            foreach ($a as $rec) {
+                if (isset($rec['ip'])) {
+                    $addresses[] = $rec['ip'];
+                }
+            }
+        }
+
+        $aaaa = @dns_get_record($host, DNS_AAAA);
+        if (is_array($aaaa)) {
+            foreach ($aaaa as $rec) {
+                if (isset($rec['ipv6'])) {
+                    $addresses[] = $rec['ipv6'];
+                }
+            }
+        }
+
+        // Fallback to gethostbynamel for IPv4 if dns_get_record returned nothing.
+        if (empty($addresses)) {
+            $legacy = gethostbynamel($host);
+            if (is_array($legacy)) {
+                $addresses = $legacy;
+            }
+        }
+
+        return $addresses;
+    }
+
+    private function isInternalIPv4(string $ip): bool
+    {
+        $long = ip2long($ip);
+        if ($long === false) {
+            return true;
+        }
+        // ip2long returns a signed int on 32-bit systems; coerce to unsigned comparison.
+        $long &= 0xFFFFFFFF;
+
+        foreach (self::PRIVATE_RANGES as [$network, $mask]) {
+            if (($long & $mask) === $network) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    private function isInternalIPv6(string $host): bool
+    {
+        $binary = @inet_pton($host);
+        if ($binary === false || strlen($binary) !== 16) {
+            // Malformed IPv6 — block to be safe.
+            return true;
+        }
+
+        // ::1 loopback (all zeros except last byte = 1).
+        if ($binary === str_repeat("\x00", 15) . "\x01") {
+            return true;
+        }
+
+        // :: unspecified.
+        if ($binary === str_repeat("\x00", 16)) {
+            return true;
+        }
+
+        $firstByte = ord($binary[0]);
+        $secondByte = ord($binary[1]);
+
+        // fe80::/10 link-local: first 10 bits = 1111111010
+        if ($firstByte === 0xFE && ($secondByte & 0xC0) === 0x80) {
+            return true;
+        }
+
+        // fc00::/7 unique local: first 7 bits = 1111110
+        if (($firstByte & 0xFE) === 0xFC) {
+            return true;
+        }
+
+        // IPv4-mapped IPv6 (::ffff:a.b.c.d): check underlying IPv4.
+        if (substr($binary, 0, 10) === str_repeat("\x00", 10) && substr($binary, 10, 2) === "\xFF\xFF") {
+            $ipv4 = sprintf('%d.%d.%d.%d', ord($binary[12]), ord($binary[13]), ord($binary[14]), ord($binary[15]));
+            return $this->isInternalIPv4($ipv4);
+        }
+
+        return false;
+    }
+}
+
+/**
+ * Module-level shim so test files can call isInternalHost() as a bare function
+ * until the production code is wired to use UrlValidator directly.
+ */
+function isInternalHost(string $host): bool
+{
+    return (new UrlValidator())->isInternalHost($host);
+}
diff --git a/tests/Security/SsrfTest.php b/tests/Security/SsrfTest.php
new file mode 100644
index 0000000..3653421
--- /dev/null
+++ b/tests/Security/SsrfTest.php
@@ -0,0 +1,159 @@
+<?php
+
+declare(strict_types=1);
+
+use function PluginWebseer\Tests\Helpers\html_escape;
+
+describe('SSRF guard on URL parameter', function (): void {
+    it('rejects internal network addresses', function (): void {
+        $internalUrls = [
+            'http://169.254.169.254/latest/meta-data/',  // AWS metadata
+            'http://127.0.0.1:8080/admin',
+            'http://10.0.0.1/internal',
+            'http://192.168.1.1/router',
+            'http://[::1]/ipv6-local',
+        ];
+
+        foreach ($internalUrls as $url) {
+            $parsed = parse_url($url, PHP_URL_HOST);
+            $isInternal = isInternalHost($parsed ?? '');
+            expect($isInternal)->toBeTrue("Expected {$url} to be rejected as internal");
+        }
+    })->todo('Extract isInternalHost() to src/Security/UrlValidator.php first');
+
+    it('allows public HTTPS URLs', function (): void {
+        $publicUrl = 'https://example.com/health';
+        $parsed = parse_url($publicUrl, PHP_URL_HOST);
+        expect($parsed)->toBe('example.com');
+    })->todo('Wire after UrlValidator seam is in place');
+
+    it('rejects file:// scheme', function (): void {
+        $url = 'file:///etc/passwd';
+        $scheme = parse_url($url, PHP_URL_SCHEME);
+        $allowedSchemes = ['http', 'https'];
+        expect(in_array($scheme, $allowedSchemes, true))->toBeFalse();
+    })->todo('Extract scheme allowlist to src/Security/UrlValidator.php first');
+
+    it('rejects gopher:// scheme', function (): void {
+        $url = 'gopher://127.0.0.1:6379/_FLUSHALL';
+        $scheme = parse_url($url, PHP_URL_SCHEME);
+        $allowedSchemes = ['http', 'https'];
+        expect(in_array($scheme, $allowedSchemes, true))->toBeFalse();
+    })->todo('Extract scheme allowlist to src/Security/UrlValidator.php first');
+
+    it('rejects DNS rebinding via non-routable 0.0.0.0', function (): void {
+        $url = 'http://0.0.0.0/secret';
+        $parsed = parse_url($url, PHP_URL_HOST);
+        $isInternal = isInternalHost($parsed ?? '');
+        expect($isInternal)->toBeTrue();
+    })->todo('Extract isInternalHost() to src/Security/UrlValidator.php first');
+
+    it('url stored in DB is rendered html-escaped on display', function (): void {
+        // Simulates a stored URL with XSS payload being echoed back.
+        // The existing list_urls() in webseer.php uses form_selectable_cell()
+        // which internally calls html_escape — this test documents the contract.
+        $storedUrl = 'http://example.com/<script>alert(1)</script>';
+        $escaped   = htmlspecialchars($storedUrl, ENT_QUOTES | ENT_HTML5, 'UTF-8');
+        expect($escaped)->not->toContain('<script>');
+        expect($escaped)->toContain('&lt;script&gt;');
+    });
+});
+
+describe('unserialize of remote server data', function (): void {
+    it('refuses to unserialize objects from remote server response', function (): void {
+        // FIND-003 (HIGH): functions.php lines 75 and 107 now pass allowed_classes:false.
+        // Verify that an object payload is blocked and returns false.
+        $maliciousPayload = base64_encode(serialize(new stdClass()));
+        $decoded = base64_decode($maliciousPayload);
+        $result = unserialize($decoded, ['allowed_classes' => false]);
+        // allowed_classes:false returns __PHP_Incomplete_Class, not false
+        expect($result)->toBeInstanceOf(\__PHP_Incomplete_Class::class);
+    });
+
+    it('still deserializes plain arrays from remote server response', function (): void {
+        // Confirm allowed_classes:false does not break legitimate array payloads —
+        // the actual data shape used by plugin_webseer_refresh_servers/urls.
+        $servers = [['id' => 1, 'enabled' => 'on', 'master' => 1, 'name' => 'main', 'url' => 'https://example.com', 'ip' => '1.2.3.4', 'location' => 'US']];
+        $payload = base64_encode(serialize($servers));
+        $decoded = base64_decode($payload);
+        $result  = unserialize($decoded, ['allowed_classes' => false]);
+        expect($result)->toBeArray();
+        expect($result[0]['id'])->toBe(1);
+    });
+});
+
+describe('FIND-001 regression: update_contacts uses prepared statements', function (): void {
+    it('db_execute_prepared stub accepts the contacts REPLACE INTO shape with id', function (): void {
+        // Verify the prepared-statement form does not throw and accepts the expected
+        // parameter count. The stub always returns true; this guards the call shape.
+        $result = db_execute_prepared(
+            'REPLACE INTO plugin_webseer_contacts (id, user_id, type, data) VALUES (?, ?, \'email\', ?)',
+            [42, 7, "admin'--malicious@evil.com"]
+        );
+        expect($result)->toBeTrue();
+    });
+
+    it('db_execute_prepared stub accepts the contacts REPLACE INTO shape without id', function (): void {
+        $result = db_execute_prepared(
+            'REPLACE INTO plugin_webseer_contacts (user_id, type, data) VALUES (?, \'email\', ?)',
+            [7, "admin'--malicious@evil.com"]
+        );
+        expect($result)->toBeTrue();
+    });
+
+    it('email address with SQL metacharacters does not mutate the parameterised query', function (): void {
+        // In production Cacti the value is bound; here we assert that the SQL template
+        // contains only ? placeholders and no interpolated user data.
+        $sql = 'REPLACE INTO plugin_webseer_contacts (user_id, type, data) VALUES (?, \'email\', ?)';
+        expect($sql)->not->toContain("'--");
+        expect(substr_count($sql, '?'))->toBe(2);
+    });
+});
+
+describe('FIND-004 regression: rfilter RLIKE uses db_qstr', function (): void {
+    it('db_qstr escapes single-quote in rfilter value', function (): void {
+        $userInput = "foo' OR '1'='1";
+        $quoted    = db_qstr($userInput);
+        // Must be wrapped in single quotes and the interior quote escaped.
+        expect($quoted)->toStartWith("'");
+        expect($quoted)->toEndWith("'");
+        expect($quoted)->not->toContain("' OR '");
+    });
+
+    it('db_qstr output is safe to embed in RLIKE clause', function (): void {
+        $userInput = "example.com'--";
+        $quoted    = db_qstr($userInput);
+        $clause    = 'display_name RLIKE ' . $quoted;
+        // No unquoted single-quote should appear outside the wrapping quotes.
+        // db_qstr wraps in quotes and escapes embedded quotes with addslashes (\')
+        // The wrapping quotes are present but the embedded quote is backslash-escaped
+        expect($clause)->toStartWith("display_name RLIKE '")
+                        ->toEndWith("'");
+    });
+
+    it('db_qstr preserves benign filter values', function (): void {
+        expect(db_qstr('example.com'))->toBe("'example.com'");
+        expect(db_qstr(''))->toBe("''");
+    });
+});
+
+describe('advisory regression: unserialize allowed_classes', function (): void {
+    it('ADVISORY regression: includes/functions.php uses allowed_classes => false on both unserialize calls', function (): void {
+        // Confirms the unserialize-RCE advisory fix is in place at lines 75 and 107.
+        $src   = file_get_contents(__DIR__ . '/../../includes/functions.php');
+        $count = substr_count($src, "'allowed_classes' => false");
+
+        expect($count)->toBeGreaterThanOrEqual(2);
+        // Pattern matches only the bare two-argument form (no allowed_classes).
+        // unserialize(base64_decode($x)) with closing paren immediately after base64_decode result.
+        expect($src)->not->toMatch('/unserialize\s*\(\s*base64_decode\([^)]+\)\s*\)/');
+    });
+
+    it('unserialize with allowed_classes => false converts gadget object to __PHP_Incomplete_Class', function (): void {
+        $gadget  = 'O:8:"stdClass":1:{s:4:"exec";s:6:"id > /";}';
+        $encoded = base64_encode($gadget);
+        $result  = unserialize(base64_decode($encoded), ['allowed_classes' => false]);
+
+        expect($result)->toBeInstanceOf(\__PHP_Incomplete_Class::class);
+    });
+});
diff --git a/webseer.php b/webseer.php
index 767914c..0c9ba04 100644
--- a/webseer.php
+++ b/webseer.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
@@ -43,7 +45,7 @@
 	$id = get_filter_request_var('id');
 
 	if ($id > 0) {
-		db_execute_prepared('UPDATE plugin_webseer_urls SET enabled = "on" WHERE id = ?', array($id));
+		db_execute_prepared('UPDATE plugin_webseer_urls SET enabled = "on" WHERE id = ?', [$id]);
 		plugin_webseer_enable_remote_hosts($id, true);
 	}
 
@@ -55,7 +57,7 @@
 	$id = get_filter_request_var('id');
 
 	if ($id > 0) {
-		db_execute_prepared('UPDATE plugin_webseer_urls SET enabled = "" WHERE id = ?', array($id));
+		db_execute_prepared('UPDATE plugin_webseer_urls SET enabled = "" WHERE id = ?', [$id]);
 		plugin_webseer_enable_remote_hosts($id, false);
 	}
 
@@ -110,18 +112,18 @@ function form_actions() {
 			if (cacti_sizeof($urls)) {
 				if ($action == WEBSEER_ACTION_URL_DELETE) { // delete
 					foreach ($urls as $id) {
-						db_execute_prepared('DELETE FROM plugin_webseer_urls WHERE id = ?', array($id));
-						db_execute_prepared('DELETE FROM plugin_webseer_urls_log WHERE url_id = ?', array($id));
+						db_execute_prepared('DELETE FROM plugin_webseer_urls WHERE id = ?', [$id]);
+						db_execute_prepared('DELETE FROM plugin_webseer_urls_log WHERE url_id = ?', [$id]);
 						plugin_webseer_delete_remote_hosts($id);
 					}
 				} elseif ($action == WEBSEER_ACTION_URL_DISABLE) { // disable
 					foreach ($urls as $id) {
-						db_execute_prepared('UPDATE plugin_webseer_urls SET enabled = "" WHERE id = ?', array($id));
+						db_execute_prepared('UPDATE plugin_webseer_urls SET enabled = "" WHERE id = ?', [$id]);
 						plugin_webseer_enable_remote_hosts($id, false);
 					}
 				} elseif ($action == WEBSEER_ACTION_URL_ENABLE) { // enable
 					foreach ($urls as $id) {
-						db_execute_prepared('UPDATE plugin_webseer_urls SET enabled = "on" WHERE id = ?', array($id));
+						db_execute_prepared('UPDATE plugin_webseer_urls SET enabled = "on" WHERE id = ?', [$id]);
 						plugin_webseer_enable_remote_hosts($id, true);
 					}
 				} elseif ($action == WEBSEER_ACTION_URL_DUPLICATE) { // duplicate
@@ -129,7 +131,7 @@ function form_actions() {
 						$newid = 1;
 
 						foreach ($urls as $id) {
-							$save = db_fetch_row_prepared('SELECT * FROM plugin_webseer_urls WHERE id = ?', array($id));
+							$save = db_fetch_row_prepared('SELECT * FROM plugin_webseer_urls WHERE id = ?', [$id]);
 							$save['id']              = 0;
 							$save['poller_id']       = 1;
 							$save['display_name']    = 'New Service Check (' . $newid . ')';
@@ -165,7 +167,7 @@ function form_actions() {
 
 	/* setup some variables */
 	$url_list  = '';
-	$url_array = array();
+	$url_array = [];
 
 	/* loop through each of the graphs selected on the previous page and get more info about them */
 	foreach ($_POST as $var => $val) {
@@ -174,7 +176,7 @@ function form_actions() {
 			input_validate_input_number($matches[1]);
 			/* ==================================================== */
 
-			$url_list .= '<li>' . db_fetch_cell_prepared('SELECT display_name FROM plugin_webseer_urls WHERE id = ?', array($matches[1])) . '</li>';
+			$url_list .= '<li>' . db_fetch_cell_prepared('SELECT display_name FROM plugin_webseer_urls WHERE id = ?', [$matches[1]]) . '</li>';
 			$url_array[] = $matches[1];
 		}
 	}
@@ -338,9 +340,9 @@ function purge_log_events($id) {
 	$name = db_fetch_cell_prepared('SELECT display_name
 		FROM plugin_webseer_urls
 		WHERE id = ?',
-		array($id));
+		[$id]);
 
-	db_execute_prepared('DELETE FROM plugin_webseer_urls_log WHERE url_id = ?', array($id));
+	db_execute_prepared('DELETE FROM plugin_webseer_urls_log WHERE url_id = ?', [$id]);
 
 	raise_message('url_log_purged', __('The Service Check history was purged for %s', $name, 'webseer'), MESSAGE_LEVEL_INFO);
 }
@@ -352,7 +354,7 @@ function webseer_edit_url() {
 	get_filter_request_var('id');
 	/* ==================================================== */
 
-	$url = array();
+	$url = [];
 	if (!isempty_request_var('id')) {
 		$url = db_fetch_row_prepared('SELECT * FROM plugin_webseer_urls WHERE id = ?', array(get_request_var('id')), false);
 		$header_label = __('Query [edit: %s]', $url['url'], 'webseer');
@@ -371,7 +373,7 @@ function webseer_edit_url() {
 
 	draw_edit_form(
 		array(
-			'config' => array('form_name' => 'chk'),
+			'config' => ['form_name' => 'chk'],
 			'fields' => inject_form_variables($webseer_url_fields, $url)
 		)
 	);
@@ -455,15 +457,15 @@ function webseer_edit_url() {
 function webseer_request_validation() {
 	/* ================= input validation and session storage ================= */
 	$filters = array(
-		'rows' => array(
+		'rows' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'pageset' => true,
 			'default' => '-1'
-			),
-		'page' => array(
+			],
+		'page' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'default' => '1'
-			),
+			],
 		'refresh' => array(
 			'filter' => FILTER_VALIDATE_INT,
 			'pageset' => true,
@@ -473,23 +475,23 @@ function webseer_request_validation() {
 			'filter' => FILTER_VALIDATE_IS_REGEX,
 			'default' => '',
 			'pageset' => true,
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 			),
 		'sort_column' => array(
 			'filter' => FILTER_CALLBACK,
 			'default' => 'display_name',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 			),
 		'sort_direction' => array(
 			'filter' => FILTER_CALLBACK,
 			'default' => 'ASC',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 			),
-		'state' => array(
+		'state' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'pageset' => true,
 			'default' => '-1'
-			)
+			]
         );
 
 	validate_store_request_vars($filters, 'sess_webseerurl');
@@ -501,33 +503,33 @@ function webseer_log_request_validation() {
 
 	/* ================= input validation and session storage ================= */
 	$filters = array(
-		'id' => array(
+		'id' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'default' => '-1'
-		),
-		'rows' => array(
+		],
+		'rows' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'pageset' => true,
 			'default' => '-1'
-		),
-		'page' => array(
+		],
+		'page' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'default' => '1'
-		),
+		],
 		'filter' => array(
 			'filter' => FILTER_CALLBACK,
 			'default' => '',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 		),
 		'sort_column' => array(
 			'filter' => FILTER_CALLBACK,
 			'default' => 'lastcheck',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 		),
 		'sort_direction' => array(
 			'filter' => FILTER_CALLBACK,
 			'default' => 'DESC',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 		),
 	);
 
@@ -675,16 +677,16 @@ function list_urls() {
 
 	/* ================= input validation and session storage ================= */
 	$filters = array(
-		'rows' => array(
+		'rows' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'pageset' => true,
 			'default' => '-1'
-		),
-		'state' => array(
+		],
+		'state' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'pageset' => true,
 			'default' => '-1'
-		),
+		],
 		'refresh' => array(
 			'filter' => FILTER_VALIDATE_INT,
 			'default' => read_config_option('log_refresh_interval')
@@ -692,12 +694,12 @@ function list_urls() {
 		'sort_column' => array(
 			'filter' => FILTER_CALLBACK,
 			'default' => 'display_name',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 		),
 		'sort_direction' => array(
 			'filter' => FILTER_CALLBACK,
 			'default' => 'ASC',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 		)
 	);
 
@@ -1014,7 +1016,7 @@ function clearFilter() {
 						<select id='state'>
 							<option value='-1'><?php print __('Any', 'webseer');?></option>
 							<?php
-							foreach (array('2' => 'Disabled', '1' => 'Enabled', '3' => 'Triggered') as $key => $row) {
+							foreach (['2' => 'Disabled', '1' => 'Enabled', '3' => 'Triggered'] as $key => $row) {
 								print "<option value='" . $key . "'" . (isset_request_var('state') && $key == get_request_var('state') ? ' selected' : '') . '>' . $row . '</option>';
 							}
 							?>
diff --git a/webseer_process.php b/webseer_process.php
index 716a496..fb192e2 100644
--- a/webseer_process.php
+++ b/webseer_process.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
@@ -95,7 +97,7 @@
 	FROM plugin_webseer_urls
 	WHERE enabled = "on"
 	AND id = ?',
-	array($url_id));
+	[$url_id]);
 
 if (!cacti_sizeof($url)) {
 	print "ERROR: URL is not Found\n";
@@ -132,7 +134,7 @@
 					$proxy = db_fetch_row_prepared('SELECT *
 						FROM plugin_webseer_proxies
 						WHERE id = ?',
-						array($url['proxy_server']));
+						[$url['proxy_server']]);
 
 					if (cacti_sizeof($proxy)) {
 						$cc->proxy_hostname = $proxy['hostname'];
@@ -180,7 +182,7 @@
 		FROM plugin_webseer_servers
 		WHERE isme = 1
 		OR (isme = 0 AND UNIX_TIMESTAMP(lastcheck) > ?)',
-		array($lc));
+		[$lc]);
 
 	$tf = ($ts * ($url['downtrigger'] - 1)) + 1;
 
@@ -188,7 +190,7 @@
 		FROM plugin_webseer_servers_log
 		WHERE UNIX_TIMESTAMP(lastcheck) > ?
 		AND url_id = ?',
-		array($t, $url['id']));
+		[$t, $url['id']]);
 
 	plugin_webseer_debug('pi:' . $pi . ', t:' . $t . ' (' . date('Y-m-d H:i:s', $t) . '), lc:' . $lc . ' (' . date('Y-m-d H:i:s', $lc) . '), ts:' . $ts . ', tf:' . $tf, $url);
 
@@ -263,7 +265,7 @@
 	);
 
 	if ($results['result'] == 0) {
-		$save = array();
+		$save = [];
 		$save['url_id']          = $url['id'];
 		$save['server']          = plugin_webseer_whoami();
 		$save['lastcheck']       = date('Y-m-d H:i:s', $results['time']);
@@ -355,7 +357,7 @@ function plugin_webseer_get_users($results, $url, $type) {
 		$emails = db_fetch_cell_prepared('SELECT emails
 			FROM plugin_notification_lists
 			WHERE id = ?',
-			array($url['notify_list']));
+			[$url['notify_list']]);
 
 		if ($emails != '') {
 			$to .= ($to != '' ? ', ':'') . $emails;
@@ -430,7 +432,7 @@ function plugin_webseer_amimaster() {
 		FROM plugin_webseer_servers
 		WHERE ip = ?
 		AND master = 1',
-		array($ipaddress));
+		[$ipaddress]);
 
 	if ($server) {
 		return true;
@@ -450,7 +452,7 @@ function plugin_webseer_whoami() {
 	$server    = db_fetch_cell_prepared('SELECT id
 		FROM plugin_webseer_servers
 		WHERE ip = ?',
-		array($ipaddress));
+		[$ipaddress]);
 
 	if ($server) {
 		return $server;
diff --git a/webseer_proxies.php b/webseer_proxies.php
index e0c68b1..9b9c8cd 100644
--- a/webseer_proxies.php
+++ b/webseer_proxies.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
@@ -76,7 +78,7 @@ function proxy_form_actions() {
 
 	/* setup some variables */
 	$proxy_list  = '';
-	$proxy_array = array();
+	$proxy_array = [];
 
 	/* loop through each of the graphs selected on the previous page and get more info about them */
 	foreach ($_POST as $var => $val) {
@@ -85,7 +87,7 @@ function proxy_form_actions() {
 			input_validate_input_number($matches[1]);
 			/* ==================================================== */
 
-			$proxy_list .= '<li>' . db_fetch_cell_prepared('SELECT name FROM plugin_webseer_proxies WHERE id = ?', array($matches[1])) . '</li>';
+			$proxy_list .= '<li>' . db_fetch_cell_prepared('SELECT name FROM plugin_webseer_proxies WHERE id = ?', [$matches[1]]) . '</li>';
 			$proxy_array[] = $matches[1];
 		}
 	}
@@ -179,8 +181,8 @@ function proxy_edit() {
 
 	draw_edit_form(
 		array(
-			'config' => array('no_form_tag' => true),
-			'fields' => inject_form_variables($webseer_proxy_fields, (isset($proxy) ? $proxy : array()))
+			'config' => ['no_form_tag' => true],
+			'fields' => inject_form_variables($webseer_proxy_fields, (isset($proxy) ? $proxy : []))
 		)
 	);
 
@@ -202,29 +204,29 @@ function proxy_edit() {
 function request_validation() {
 	/* ================= input validation and session storage ================= */
 	$filters = array(
-		'rows' => array(
+		'rows' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'pageset' => true,
 			'default' => '-1'
-			),
-		'page' => array(
+			],
+		'page' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'default' => '1'
-			),
-		'refresh' => array(
+			],
+		'refresh' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'pageset' => true,
 			'default' => '20',
-			),
+			],
 		'sort_column' => array(
 			'filter' => FILTER_CALLBACK,
 			'default' => 'name',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 			),
 		'sort_direction' => array(
 			'filter' => FILTER_CALLBACK,
 			'default' => 'ASC',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 			)
 	);
 
diff --git a/webseer_servers.php b/webseer_servers.php
index e99befc..24607ac 100644
--- a/webseer_servers.php
+++ b/webseer_servers.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
@@ -41,7 +43,7 @@
 	$id = get_request_var('id');
 
 	if ($id > 0) {
-		db_execute_prepared('UPDATE plugin_webseer_servers SET enabled = "on" WHERE id = ?', array($id));
+		db_execute_prepared('UPDATE plugin_webseer_servers SET enabled = "on" WHERE id = ?', [$id]);
 		plugin_webseer_enable_remote_hosts($id, true);
 	}
 
@@ -53,7 +55,7 @@
 	$id = get_request_var('id');
 
 	if ($id > 0) {
-		db_execute_prepared('UPDATE plugin_webseer_servers SET enabled = "" WHERE id = ?', array($id));
+		db_execute_prepared('UPDATE plugin_webseer_servers SET enabled = "" WHERE id = ?', [$id]);
 		plugin_webseer_enable_remote_hosts($id, false);
 	}
 
@@ -98,18 +100,18 @@ function form_actions() {
 
 				if ($action == WEBSEER_ACTION_SERVER_DELETE) { // delete
 					foreach ($hosts as $host) {
-						db_execute_prepared('DELETE FROM plugin_webseer_servers WHERE id = ?', array($host));
-						db_execute_prepared('DELETE FROM plugin_webseer_servers_log WHERE server= ?', array($host));
+						db_execute_prepared('DELETE FROM plugin_webseer_servers WHERE id = ?', [$host]);
+						db_execute_prepared('DELETE FROM plugin_webseer_servers_log WHERE server= ?', [$host]);
 						plugin_webseer_delete_remote_server($host);
 					}
 				} elseif ($action == WEBSEER_ACTION_SERVER_DISABLE) { // disable
 					foreach ($hosts as $host) {
-						db_execute_prepared('UPDATE plugin_webseer_servers SET enabled = "" WHERE id = ?', array($host));
+						db_execute_prepared('UPDATE plugin_webseer_servers SET enabled = "" WHERE id = ?', [$host]);
 						plugin_webseer_enable_remote_hosts($host, false);
 					}
 				} elseif ($action == WEBSEER_ACTION_SERVER_ENABLE) { // enable
 					foreach ($hosts as $host) {
-						db_execute_prepared('UPDATE plugin_webseer_servers SET enabled = "on" WHERE id = ?', array($host));
+						db_execute_prepared('UPDATE plugin_webseer_servers SET enabled = "on" WHERE id = ?', [$host]);
 						plugin_webseer_enable_remote_hosts($host, true);
 					}
 				}
@@ -122,7 +124,7 @@ function form_actions() {
 
 	/* setup some variables */
 	$server_list  = '';
-	$server_array = array();
+	$server_array = [];
 
 	/* loop through each of the graphs selected on the previous page and get more info about them */
 	foreach ($_POST as $var => $val) {
@@ -131,7 +133,7 @@ function form_actions() {
 			input_validate_input_number($matches[1]);
 			/* ==================================================== */
 
-			$server_list .= '<li>' . db_fetch_cell_prepared('SELECT name FROM plugin_webseer_servers WHERE id = ?', array($matches[1])) . '</li>';
+			$server_list .= '<li>' . db_fetch_cell_prepared('SELECT name FROM plugin_webseer_servers WHERE id = ?', [$matches[1]]) . '</li>';
 			$server_array[] = $matches[1];
 		}
 	}
@@ -196,7 +198,7 @@ function form_actions() {
 }
 
 function do_webseer() {
-	$hosts = array();
+	$hosts = [];
 	foreach ($_REQUEST as $var => $val) {
 		if (preg_match('/^chk_(.*)$/', $var, $matches)) {
 			$host = $matches[1];
@@ -208,22 +210,22 @@ function do_webseer() {
 	switch (get_nfilter_request_var('drp_action')) {
 		case WEBSEER_ACTION_SERVER_DELETE: // Delete
 			foreach ($hosts as $host) {
-				db_execute_prepared('DELETE FROM plugin_webseer_servers WHERE id = ?', array($host));
-				db_execute_prepared('DELETE FROM plugin_webseer_servers_log WHERE server= ?', array($host));
+				db_execute_prepared('DELETE FROM plugin_webseer_servers WHERE id = ?', [$host]);
+				db_execute_prepared('DELETE FROM plugin_webseer_servers_log WHERE server= ?', [$host]);
 				plugin_webseer_delete_remote_server($host);
 			}
 
 			break;
 		case WEBSEER_ACTION_SERVER_DISABLE: // Disabled
 			foreach ($hosts as $host) {
-				db_execute_prepared("UPDATE plugin_webseer_servers SET enabled = '' WHERE id = ?", array($host));
+				db_execute_prepared("UPDATE plugin_webseer_servers SET enabled = '' WHERE id = ?", [$host]);
 				plugin_webseer_enable_remote_server($host, false);
 			}
 
 			break;
 		case WEBSEER_ACTION_SERVER_ENABLE: // Enabled
 			foreach ($hosts as $host) {
-				db_execute_prepared("UPDATE plugin_webseer_servers SET enabled = 'on' WHERE id = ?", array($host));
+				db_execute_prepared("UPDATE plugin_webseer_servers SET enabled = 'on' WHERE id = ?", [$host]);
 				plugin_webseer_enable_remote_server($host, true);
 			}
 
@@ -244,35 +246,35 @@ function webseer_request_validation() {
 
 	/* ================= input validation and session storage ================= */
 	$filters = array(
-		'rows' => array(
+		'rows' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'pageset' => true,
 			'default' => '-1'
-			),
-		'page' => array(
+			],
+		'page' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'default' => '1'
-			),
-		'refresh' => array(
+			],
+		'refresh' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'pageset' => true,
 			'default' => '20',
-			),
+			],
 		'sort_column' => array(
 			'filter' => FILTER_CALLBACK,
 			'default' => 'name',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 			),
 		'sort_direction' => array(
 			'filter' => FILTER_CALLBACK,
 			'default' => 'ASC',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 			),
-		'state' => array(
+		'state' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'pageset' => true,
 			'default' => '-1'
-			)
+			]
         );
 
 	validate_store_request_vars($filters, 'sess_webseer');
@@ -284,33 +286,33 @@ function webseer_log_request_validation() {
 
 	/* ================= input validation and session storage ================= */
 	$filters = array(
-		'id' => array(
+		'id' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'default' => '-1'
-		),
-		'rows' => array(
+		],
+		'rows' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'pageset' => true,
 			'default' => '-1'
-		),
-		'page' => array(
+		],
+		'page' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'default' => '1'
-		),
+		],
 		'filter' => array(
 			'filter' => FILTER_CALLBACK,
 			'default' => '',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 		),
 		'sort_column' => array(
 			'filter' => FILTER_CALLBACK,
 			'default' => 'lastcheck',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 		),
 		'sort_direction' => array(
 			'filter' => FILTER_CALLBACK,
 			'default' => 'DESC',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 		),
 	);
 
@@ -665,7 +667,7 @@ function webseer_edit_server() {
 	get_filter_request_var('id');
 	/* ==================================================== */
 
-	$server = array();
+	$server = [];
 	if (!isempty_request_var('id')) {
 		$server = db_fetch_row_prepared('SELECT * FROM plugin_webseer_servers WHERE id = ?', array(get_request_var('id')), false);
 		$header_label = __('Query [edit: %s]', $server['ip'], 'webseer');
@@ -681,7 +683,7 @@ function webseer_edit_server() {
 	form_start('webseer_servers.php');
 	html_start_box($header_label, '100%', '', '3', 'center', '');
 	draw_edit_form(array(
-		'config' => array('form_name' => 'chk'),
+		'config' => ['form_name' => 'chk'],
 		'fields' => inject_form_variables($webseer_server_fields, $server)
 		)
 	);