panic-attack estate sweep — 2026-05-26

[hyperpolymath]

panic-attack estate sweep — 2026-05-26

Owner: @hyperpolymath
Scope: 284-repo estate at ~/developer/repos/
Driver: panic-attack assemblyline + per-repo panic-attack assail --headless + manual triage

Summary

Estate-wide panic-attack scan run on 2026-05-26 using canonical panic-attack v2.5.0 binary. Findings turned into narrow per-(repo × file × category) PRs.

• Generic modes (everywhere): assail (static analysis, 49 langs, PA001–PA025), assault (where binary materialises).
• Specialised modes (case-by-case): bridge triage --offline (Cargo.lock repos), signatures (C/C++/Rust unsafe-heavy), temporal (where prior snapshots exist).
• Proof repos (13): assail-only first pass; proof-file fixes go through DRAFT PR + local rebuild verification.

Guardrails honoured

• ❌ features/panic-attacker/ stub dirs untouched (references to canonical tool, not separate copies).
• ❌ vcl-ut/_wt-vclut* worktrees untouched (parallel session).
• ❌ hypatia/.claude/worktrees/agent-* untouched (locked agent sessions).
• ❌ ephapax _wt-eph-* worktrees untouched (proof-debt parallel work).
• ❌ Known parked debts NOT refiled (ephapax preservation formal/Semantics.v:3327, betlang substTop_preserves_typing, boj-server class-J primitives).
• ✅ Honour each repo's audits/assail-classifications.a2ml.
• ✅ All commits GPG-signed; no auto-merge; base=main; SSH remote for .github/workflows/ edits.

Baseline (2026-04-12 system-image)

• 303 repos scanned
• 15,554 weak points (1,898 critical)
• 29.7M lines / 21,018 files

This sweep

Filled in after Pass 1 completes.

• Repos scanned: …
• Repos with findings: …
• Total weak points: …
• Critical: …
• High: …

PRs filed

Updated after each batch.

#	Repo	PR	Category	File / Module	Status
1

Issues filed (findings requiring redesign / human judgement)

#	Repo	Issue	Category	Notes
1

Proof-aware PRs (DRAFT until rebuild passes)

#	Repo	PR	Proof file	Rebuild status
1

Findings parked (already tracked elsewhere)

• ephapax preservation (Semantics.v:3327) → ephapax-preservation-closure-plan
• betlang substTop_preserves_typing → discharge recipe in betlang#27
• boj-server class-J primitive axioms → boj-server-backend-assurance-harness

Related work proposed

• panic-attack: complete VeriSimDB hexad persistence (issue to be filed). The current campaign hits the JSON ceiling — AssemblylineReport.results[].report is #[serde(skip)] so per-finding detail needs a second pass; cross-run PR-state has no native datastore. Finishing the VeriSimDB integration (60% → 100%) would make this kind of campaign cheaper to run next time.

[hyperpolymath]

panic-attack estate sweep — 2026-05-26 (status update)

Owner: @hyperpolymath
Scan tool: panic-attack v2.5.0 built 2026-05-26
Driver: per-repo panic-attack assail --headless --output <repo>.json with 90s timeout

Scan results

Metric	Value
Repos scanned	349 (368 walked, 19 no-source content-only repos skipped)
Total Critical/High candidates	6,069
Already-suppressed (existing audits/assail-classifications.a2ml)	961
Worktree-path artefacts (skipped)	40
Out-of-scope (Low/Medium severity)	2,591
Actionable (this campaign)	2,477 (457 autofix + 1,777 issue + 243 proof-draft)

PRs filed (this session)

#	Repo	PR	Category	Findings	Pattern
1	svalinn	#11	PA022 (CryptoMisuse)	4	test-context-fixture (decodeJwt in bench/tests)
2	proven	#67	PA001+PA007	129	legitimate-ffi (bindings//src/ + ffi//src/)
3	gossamer	#54	PA001+PA007	24	legitimate-ffi (src/interface/ffi/src/)
4	docudactyl	#20	PA001+PA007	15	legitimate-ffi (ffi/zig/src/)
5	proven-servers	#11	PA001+PA007	10	legitimate-ffi (bindings/rust/src/)
6	aerie	#35	PA001+PA007	10	legitimate-ffi (src/api/zig/)
7	boj-server	#153	PA001	2	legitimate-ffi (ffi/zig/src/) — cartridges/* deferred

Total this session: 7 PRs, 194 findings classified.

Remaining work — next-session queue

Track A — legitimate-FFI classifications (high-confidence, batch-able)

Repo	Active PA001/PA007 Critical/High	Notes
boj-server cartridges/*	~113 across ~110 cartridge subdirs	One PR per cartridge OR one bundled cartridge PR
linguist	16 (PA001 + 4× PA022 in samples/C++)	samples/ is reference code; classification
stapeln	10	inspect FFI prefix
ambientops	9 across 8 groups	spread out — file-by-file
valence-shell	8 across 4 groups	impl/rust-cli/src/
polystack	7 across 6 groups	inspect
panll	6 across 5 groups	inspect
HOL	5	proof toolchain — likely proof-draft, not autofix

Track B — real bug fixes (need code edits, not classification)

The triage bucketed 457 "autofix" candidates but most are actually legitimate-FFI. After Track A's classifications land, the true real-defect remainder is likely <50 findings. These are:

• PA022 CryptoMisuse outside test/bench context — JWT decode-without-verify on production paths.
• PA009 HardcodedSecret outside test/CI fixtures — actual leaked tokens.
• PA003 CommandInjection in shipped scripts.
• PA008 PathTraversal in real handlers.

Triage script bucket distribution needs re-run after Track A to see what's left.

Track C — issue-only findings (1,777)

Will be filed as GitHub issues, not PRs (need human judgement):

• PA023 SupplyChain (version pinning)
• PA024 InputBoundary (schema design)
• PA025 MutationGap (test-infra changes)
• PA021 ProofDrift outside parked-debt list (proof refactor)

Track D — proof-aware PRs (243)

DRAFT PRs with local proof-rebuild verification, 13 proof repos:

• echidna (largest: Lean 6, Agda 14, Coq 8, Idris2 12, F* 5, Isabelle 4)
• proven (203 .ipkg)
• agda-stdlib (125 Agda)
• echo-types (64 Agda)
• tropical-resource-typing (1 Lean, 9 Isabelle)
• ephapax (3 Coq + 1 Idris2 — but parked-debt at Semantics.v:3327, do NOT refile)
• kategoria (13 Idris2)
• frayed-knot-toolkit (6 Agda)
• boj-server (1 Idris2)
• standards (2 Idris2 — verification targets)
• zerostep (1 Isabelle)
• burble (2 Idris2)
• ochrance (9 Idris2)

Track E — assault (dynamic) + specialised modes

Not run this session. Per plan:

• Best-effort assault per repo with binary-build attempt (cargo/go/idris2/agda/coq/lean/dune)
• bridge triage --offline for repos with Cargo.lock
• signatures for C/C++/Rust/unsafe-heavy repos
• temporal where prior VeriSimDB snapshots exist

Skipped repos (19, no further action)

• 14 from top-level pass: achievements-lab, cafescripto, claude-memory, dotfiles, ephapax-wiki, humor-ecosystem, info, jaffascript, lucidscript, pseudoscript, repos-monorepo, technical-notes, tentacles-agentic-syllabus, vext
• 5 from nested pass: 4× awesome-projects/awesome-{lua,pandoc,selfhosted,zig}, idaptik-ums

Most are content-only repos (lists, archives, docs). repos-monorepo did time out (likely proof-heavy or huge); revisit with longer timeout.

Guardrails honoured this session

• ✅ All commits GPG-signed (G status)
• ✅ Base = main for every PR
• ✅ No auto-merge enabled
• ✅ No --no-verify / --no-gpg-sign
• ✅ features/panic-attacker/ stub dirs untouched (canonical-tool references)
• ✅ vcl-ut, hypatia agent worktrees, ephapax proof-debt worktrees — all untouched
• ✅ ephapax preservation, betlang substTop, boj-server class-J — not refiled
• ✅ Stray local commit on gossamer/main (workflow hardening, unpushed) preserved by branching from origin/main

Campaign workspace

• Plan + driver scripts: /tmp/panic-attack-campaign-2026-05-26/
• Per-repo scan outputs: /tmp/panic-attack-campaign-2026-05-26/per-repo/*.json
• Triage plan: /tmp/panic-attack-campaign-2026-05-26/02-plan.json
• Tracker issue: panic-attack estate sweep — 2026-05-26 #32
• Design follow-up: Complete VeriSimDB hexad persistence (S1–S3) — campaign-driven #33 (VeriSimDB hexad persistence — would make next campaign cheaper)