security: 10 Critical/High panic-attack findings need human triage (Track C)

[hyperpolymath]

panic-attack estate sweep — Track C tracking issue

panic-attack assail flagged the findings below in this repo on 2026-05-26. They are aggregated here for human triage rather than as individual PRs because each requires judgement (supply-chain pin choice, schema-design call, mutation-test gap, etc.).

PA001/PA007 UnsafeCode/UnsafeFFI findings are NOT in this list. Findings already suppressed in audits/assail-classifications.a2ml are also excluded.

Estate tracker: hyperpolymath/panic-attack#32.

AtomExhaustion (1 findings)

file:line list

### `DynamicCodeExecution` (5 findings)

file:line list

High  gecko-browser-extension/src/content/content.js:?  DOM manipulation (innerHTML/document.write) in gecko-browser-extension/src/content/content.js
High  gecko-browser-extension/src/popup/popup.js:?  DOM manipulation (innerHTML/document.write) in gecko-browser-extension/src/popup/popup.js
Critical  firefox-mcp/extension/content/bridge.js:?  eval() usage in firefox-mcp/extension/content/bridge.js
Critical  firefox-mcp/extension-mv3/background.js:?  eval() usage in firefox-mcp/extension-mv3/background.js

### `HardcodedSecret` (1 findings)

file:line list

### `UnsafeDeserialization` (3 findings)

file:line list

High  gitlab-bridge/lib/bs/src/services/MRReviewer.res:?  1 JSON.parseExn calls in gitlab-bridge/lib/bs/src/services/MRReviewer.res (use JSON.parse for safe Result)
High  gitlab-bridge/lib/ocaml/MRReviewer.res:?  1 JSON.parseExn calls in gitlab-bridge/lib/ocaml/MRReviewer.res (use JSON.parse for safe Result)

---

🤖 Discovered during the panic-attack estate sweep (2026-05-26). See hyperpolymath/panic-attack#32 for campaign tracker.