Consume panic-attack patch-bridge registry as a fact source

[hyperpolymath]

Current state

Hypatia reads CVE alerts from GitHub APIs:

• DA001-DA004 — Dependabot alerts
• CSA001-CSA004 — CodeQL security alerts

It does not read panic-attack's local .machine_readable/patch-bridge/registry.json.

Gap

panic-attack establishes a per-CVE reach classification from local code analysis:

• phantom-declared — listed in Cargo.toml but no use site
• phantom-transitive — not declared, pulled transitively
• reachable — declared and used
• unreachable — declared, used, but not reachable from any entry point

Hypatia is currently blind to this richer classification and cannot reason over reach when scoring findings.

Proposed

Add a new fact source / rule module that reads .machine_readable/patch-bridge/registry.json from the repo under analysis.

• Schema home: panic-attack/src/bridge/mod.rs (BridgeReport struct)
• In-flight schema change: panic-attack#16 splits prior phantom into phantom-declared vs phantom-transitive. Consumer should target the post-chore(deps): bump trufflesecurity/trufflehog from 3.92.4 to 3.92.5 #16 schema (check schema_version).

Track E findings (motivation)

Today's Track E security sweep across 29 repos revealed that 26/29 repos contained transitive-dep misclassifications that Dependabot alone could not have surfaced. panic-attack catches these locally; hypatia is the natural aggregator.

Acceptance criteria

• Locate registry file at <repo>/.machine_readable/patch-bridge/registry.json
• Deserialize BridgeReport matching panic-attack's schema_version (post-chore(deps): bump trufflesecurity/trufflehog from 3.92.4 to 3.92.5 #16)
• Emit findings as hypatia facts (one per CVE entry; carry reach + classification + severity)
• Smoke test against panic-attack's own registry
• Document the rule family identifier (suggest PA001-PA004 to mirror DA/CSA)

References

• panic-attack#16 — in-flight PR introducing split reach values
• Track E sweep summary (in-session, 26/29 repos affected)

[hyperpolymath]

Downstream tracker: #359 enumerates higher-order composition rules that become possible once this issue lands the registry as a fact source.

[hyperpolymath]

Scoped status (2026-05-30 — cicd label triage)

Quick read of the current state vs the acceptance criteria:

• Schema dependency: panic-attack#16 ("split phantom into phantom-declared / phantom-transitive") merged 2026-04-09 (PR was the title-match "fix: add missing file/line fields to WeakPoint initializers"; need to verify the relevant reach-split shape actually shipped — title doesn't match the reach split, so the schema dependency may actually still be ahead of us. Owner action: confirm which panic-attack PR carries the split and re-link here).
• Registry file existence: gh api repos/hyperpolymath/panic-attack/contents/.machine_readable/patch-bridge/registry.json returns 404 today. No registry produced yet on the producer side.

So two upstream gaps, both producer-side, before hypatia can consume:

1. panic-attack must emit registry.json (file does not exist).
2. The post-chore(deps): bump trufflesecurity/trufflehog from 3.92.4 to 3.92.5 #16 reach-split schema needs to be confirmed and the schema_version carried.

Recommended plan (when upstream is ready)

• Add crates/hypatia-rules/src/pa_reach/ with PA001-PA004 mirroring DA/CSA shape.
• Read <repo>/.machine_readable/patch-bridge/registry.json as a fact source (deserialize BridgeReport; gate on schema_version).
• Smoke test against panic-attack's own registry once it exists.
• Document the rule family in CHANGELOG + hypatia rule list.

Action

Leaving open, blocked on panic-attack registry emission. cicd label retained as the rule-family belongs to the CI/CD fact-source landscape.