diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c398224..a272231 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -82,15 +82,15 @@ jobs:
       mysql:
         image: mysql:${{ matrix.version }}
         env:
-          MYSQL_ALLOW_EMPTY_PASSWORD: "yes"
+          MYSQL_ROOT_PASSWORD: root
           MYSQL_DATABASE: backup_xfer_test
         ports:
           - 3306:3306
         options: >-
-          --health-cmd="mysqladmin ping -h 127.0.0.1 --silent"
+          --health-cmd="mysqladmin ping -h 127.0.0.1 -uroot -proot --silent"
           --health-interval=10s --health-timeout=5s --health-retries=20
     env:
-      BACKUP_TEST_MYSQL: 'host=127.0.0.1;port=3306;username=root;password=;database=backup_xfer_test'
+      BACKUP_TEST_MYSQL: 'host=127.0.0.1;port=3306;username=root;password=root;database=backup_xfer_test'
     steps:
       - name: Harden runner
         uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411  # v2.19.4
@@ -120,7 +120,7 @@ jobs:
       mariadb:
         image: mariadb:${{ matrix.version }}
         env:
-          MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: "yes"
+          MARIADB_ROOT_PASSWORD: root
           MARIADB_DATABASE: backup_xfer_test
         ports:
           - 3306:3306
@@ -131,7 +131,7 @@ jobs:
       # Driver `mariadb` (illuminate v13's dedicated one) makes the
       # connection report driverName=mariadb — the exact path that
       # regressed. The harness picks it from the engine key, not env.
-      BACKUP_TEST_MARIADB: 'host=127.0.0.1;port=3306;username=root;password=;database=backup_xfer_test'
+      BACKUP_TEST_MARIADB: 'host=127.0.0.1;port=3306;username=root;password=root;database=backup_xfer_test'
     steps:
       - name: Harden runner
         uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411  # v2.19.4
@@ -195,17 +195,17 @@ jobs:
       mysql:
         image: mysql:8.4
         env:
-          MYSQL_ALLOW_EMPTY_PASSWORD: "yes"
+          MYSQL_ROOT_PASSWORD: root
           MYSQL_DATABASE: backup_xfer_test
         ports:
           - 3306:3306
         options: >-
-          --health-cmd="mysqladmin ping -h 127.0.0.1 --silent"
+          --health-cmd="mysqladmin ping -h 127.0.0.1 -uroot -proot --silent"
           --health-interval=10s --health-timeout=5s --health-retries=20
       mariadb:
         image: mariadb:11.4
         env:
-          MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: "yes"
+          MARIADB_ROOT_PASSWORD: root
           MARIADB_DATABASE: backup_xfer_test
         ports:
           # Host 3307 to avoid colliding with mysql's 3306 mapping.
@@ -224,8 +224,8 @@ jobs:
           --health-cmd="pg_isready -U postgres"
           --health-interval=10s --health-timeout=5s --health-retries=20
     env:
-      BACKUP_TEST_MYSQL: 'host=127.0.0.1;port=3306;username=root;password=;database=backup_xfer_test'
-      BACKUP_TEST_MARIADB: 'host=127.0.0.1;port=3307;username=root;password=;database=backup_xfer_test'
+      BACKUP_TEST_MYSQL: 'host=127.0.0.1;port=3306;username=root;password=root;database=backup_xfer_test'
+      BACKUP_TEST_MARIADB: 'host=127.0.0.1;port=3307;username=root;password=root;database=backup_xfer_test'
       BACKUP_TEST_POSTGRES: 'host=127.0.0.1;port=5432;username=postgres;password=postgres;database=backup_xfer_test'
     steps:
       - name: Harden runner
diff --git a/src/Api/Controller/ChunkImportController.php b/src/Api/Controller/ChunkImportController.php
index e68126e..f392e04 100644
--- a/src/Api/Controller/ChunkImportController.php
+++ b/src/Api/Controller/ChunkImportController.php
@@ -137,7 +137,7 @@ private function loadMeta(string $dir): array
     {
         $path = $dir.DIRECTORY_SEPARATOR.'upload.meta.json';
         if (! is_file($path)) return [];
-        $raw = @file_get_contents($path);
+        $raw = @file_get_contents($path); /* leitura de arquivo local, sem URL de input; nosemgrep: flarum-v2-server-side-fetch */
         if ($raw === false) return [];
         $data = json_decode($raw, true);
         return is_array($data) ? $data : [];
diff --git a/src/Api/Controller/InspectImportController.php b/src/Api/Controller/InspectImportController.php
index b6f5fee..73b751b 100644
--- a/src/Api/Controller/InspectImportController.php
+++ b/src/Api/Controller/InspectImportController.php
@@ -88,7 +88,7 @@ private function loadMeta(string $dir): array
     {
         $path = $dir.DIRECTORY_SEPARATOR.'upload.meta.json';
         if (! is_file($path)) return [];
-        $raw = @file_get_contents($path);
+        $raw = @file_get_contents($path); /* leitura de arquivo local, sem URL de input; nosemgrep: flarum-v2-server-side-fetch */
         if ($raw === false) return [];
         $data = json_decode($raw, true);
         return is_array($data) ? $data : [];
diff --git a/src/Job/ExportJob.php b/src/Job/ExportJob.php
index 32cbaba..ddd3387 100644
--- a/src/Job/ExportJob.php
+++ b/src/Job/ExportJob.php
@@ -923,7 +923,7 @@ function (\SplFileInfo $current) use ($skipMap, $pruneMap) {
      */
     private function loadManifest(string $path): array
     {
-        $raw = @file_get_contents($path);
+        $raw = @file_get_contents($path); /* leitura de arquivo local, sem URL de input; nosemgrep: flarum-v2-server-side-fetch */
         if ($raw === false || $raw === '') return [];
 
         $out = [];
@@ -1009,7 +1009,7 @@ private function detectFlarumVersion(): string
     {
         $composer = $this->appPaths->base.DIRECTORY_SEPARATOR.'composer.lock';
         if (is_file($composer)) {
-            $data = json_decode((string) file_get_contents($composer), true);
+            $data = json_decode((string) file_get_contents($composer), true); /* leitura de arquivo local, sem URL de input; nosemgrep: flarum-v2-server-side-fetch */
             if (is_array($data) && isset($data['packages'])) {
                 foreach ($data['packages'] as $pkg) {
                     if (($pkg['name'] ?? '') === 'flarum/core') {
diff --git a/src/Job/ImportJob.php b/src/Job/ImportJob.php
index c9a21e9..2e5d682 100644
--- a/src/Job/ImportJob.php
+++ b/src/Job/ImportJob.php
@@ -771,7 +771,7 @@ private function extensionDestinationMap(JobState $state): array
     private function resolveDestination(string $name, JobState $state): ?string
     {
         $name = ltrim($name, '/');
-        if (str_contains($name, '..') || str_contains($name, "\0") || str_contains($name, '\\')) {
+        if (str_contains($name, '..') || str_contains($name, "\0") || str_contains($name, '\\')) { /* rejeita (não remove) e o destino ainda passa pela contenção com realpath abaixo; nosemgrep: flarum-v2-path-traversal-naive-filter */
             return null;
         }
 
diff --git a/src/Job/JobState.php b/src/Job/JobState.php
index 930b2df..c81ac50 100644
--- a/src/Job/JobState.php
+++ b/src/Job/JobState.php
@@ -44,7 +44,7 @@ public static function load(string $file): self
         if (! is_file($file)) {
             throw new RuntimeException('Job state file not found: '.$file);
         }
-        $raw = @file_get_contents($file);
+        $raw = @file_get_contents($file); /* leitura de arquivo local, sem URL de input; nosemgrep: flarum-v2-server-side-fetch */
         if ($raw === false) {
             throw new RuntimeException('Could not read job state.');
         }
diff --git a/tests/Integration/CliTransferE2ETest.php b/tests/Integration/CliTransferE2ETest.php
index f2feff1..a875dba 100644
--- a/tests/Integration/CliTransferE2ETest.php
+++ b/tests/Integration/CliTransferE2ETest.php
@@ -5,7 +5,7 @@
 use Flarum\Foundation\Config;
 use Flarum\Foundation\Paths;
 use Illuminate\Container\Container;
-use Illuminate\Database\Capsule\Manager as Capsule;
+use Illuminate\Database\Capsule\Manager as Capsule; /* harness de teste standalone, sem boot do Flarum; nosemgrep: flarum-v2-capsule-manager */
 use Illuminate\Database\Schema\Blueprint;
 use Illuminate\Events\Dispatcher;
 use Mockery;
@@ -230,7 +230,7 @@ public function test_decryption_key_is_never_persisted_to_job_state(): void
         $this->assertFileExists($jobStateFile);
         $this->assertStringNotContainsString(
             $privateKey,
-            (string) file_get_contents($jobStateFile),
+            (string) file_get_contents($jobStateFile), /* arquivo local do próprio teste; nosemgrep: flarum-v2-server-side-fetch */
             'Private key was persisted into job.json by start()'
         );
 
@@ -239,7 +239,7 @@ public function test_decryption_key_is_never_persisted_to_job_state(): void
             if (is_file($jobStateFile)) {
                 $this->assertStringNotContainsString(
                     $privateKey,
-                    (string) file_get_contents($jobStateFile),
+                    (string) file_get_contents($jobStateFile), /* arquivo local do próprio teste; nosemgrep: flarum-v2-server-side-fetch */
                     'Private key leaked into job.json during a tick'
                 );
             }
diff --git a/tests/Support/Engines.php b/tests/Support/Engines.php
index 39db69b..55abe88 100644
--- a/tests/Support/Engines.php
+++ b/tests/Support/Engines.php
@@ -3,7 +3,7 @@
 namespace Ramon\Backup\Tests\Support;
 
 use Illuminate\Container\Container;
-use Illuminate\Database\Capsule\Manager as Capsule;
+use Illuminate\Database\Capsule\Manager as Capsule; /* harness de teste standalone, sem boot do Flarum; nosemgrep: flarum-v2-capsule-manager */
 use Illuminate\Database\Connection;
 use Illuminate\Events\Dispatcher;
 use PDO;