panic-attack estate sweep — Track C tracking issue
panic-attack assail flagged the findings below in this repo on 2026-05-26. They are aggregated here for human triage rather than as individual PRs because each requires judgement (supply-chain pin choice, schema-design call, mutation-test gap, etc.).
PA001/PA007 UnsafeCode/UnsafeFFI findings are NOT in this list (Track A covers PA001/PA007 separately via PR #47). Findings already suppressed in audits/assail-classifications.a2ml are also excluded.
Estate tracker: hyperpolymath/panic-attack#32.
DynamicCodeExecution (4 findings)
file:line list
Critical tests/anti_crash_test.js:? eval() usage in tests/anti_crash_test.js
Critical tests/anticrash_gate_crosscutting_test.js:? eval() usage in tests/anticrash_gate_crosscutting_test.js
Critical tests/aspect/security_test.mjs:? eval() usage in tests/aspect/security_test.mjs
### `SupplyChain` (2 findings)
file:line list
High panel-clades/flake.nix:? flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in panel-clades/fl
### `UnboundedAllocation` (28 findings)
file:line list
Critical tools/pcc/src/contract.rs:? Potential unbounded allocation pattern detected in tools/pcc/src/contract.rs
Critical tools/pcc/src/scanner.rs:? Potential unbounded allocation pattern detected in tools/pcc/src/scanner.rs
Critical src-gossamer/src/coprocessor/mod.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/coprocessor/mod.rs
Critical src-gossamer/src/level_architect/commands.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/level_architect/commands.rs
Critical src-gossamer/src/capture/commands.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/capture/commands.rs
Critical src-gossamer/src/release_manager/commands.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/release_manager/commands.rs
Critical src-gossamer/src/workspace/sysinfo.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/workspace/sysinfo.rs
Critical src-gossamer/src/workspace/commands.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/workspace/commands.rs
Critical src-gossamer/src/ai/context.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/ai/context.rs
Critical src-gossamer/src/ai/commands.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/ai/commands.rs
Critical src-gossamer/src/provenance/commands.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/provenance/commands.rs
Critical src-gossamer/src/farm/commands.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/farm/commands.rs
Critical src-gossamer/src/minter/commands.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/minter/commands.rs
Critical src-gossamer/src/settings.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/settings.rs
Critical src-gossamer/src/vm_inspector/commands.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/vm_inspector/commands.rs
Critical src-gossamer/src/clade_scanner/commands.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/clade_scanner/commands.rs
Critical src-gossamer/src/cloudguard/config.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/cloudguard/config.rs
Critical src-gossamer/src/repoloader/scanner.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/repoloader/scanner.rs
Critical src-gossamer/src/repoloader/commands.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/repoloader/commands.rs
Critical src-gossamer/src/k9/commands.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/k9/commands.rs
Critical src-gossamer/src/dlc_workshop/commands.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/dlc_workshop/commands.rs
Critical src-gossamer/src/voicetag/commands.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/voicetag/commands.rs
Critical src-gossamer/src/security/commands.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/security/commands.rs
Critical src-gossamer/src/ums_cartridge/commands.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/ums_cartridge/commands.rs
Critical src-gossamer/src/ums/commands.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/ums/commands.rs
Critical src-gossamer/src/identity.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/identity.rs
Critical src-gossamer/src/a2ml/commands.rs:? Potential unbounded allocation pattern detected in src-gossamer/src/a2ml/commands.rs
### `UnsafeDeserialization` (10 findings)
file:line list
High src/tea/Tea_Json.res:? 1 JSON.parseExn calls in src/tea/Tea_Json.res (use JSON.parse for safe Result)
High src/Storage.res:? 1 JSON.parseExn calls in src/Storage.res (use JSON.parse for safe Result)
High src/core/EvangeliserEngine.res:? 1 JSON.parseExn calls in src/core/EvangeliserEngine.res (use JSON.parse for safe Result)
High src/core/ObservabilityEngine.res:? 1 JSON.parseExn calls in src/core/ObservabilityEngine.res (use JSON.parse for safe Result)
High src/core/AiEngine.res:? 1 JSON.parseExn calls in src/core/AiEngine.res (use JSON.parse for safe Result)
High src/update/UpdateIdentity.res:? 2 JSON.parseExn calls in src/update/UpdateIdentity.res (use JSON.parse for safe Result)
High src/update/UpdateSettings.res:? 1 JSON.parseExn calls in src/update/UpdateSettings.res (use JSON.parse for safe Result)
High src/update/UpdateService.res:? 2 JSON.parseExn calls in src/update/UpdateService.res (use JSON.parse for safe Result)
High src/Update.res:? 1 JSON.parseExn calls in src/Update.res (use JSON.parse for safe Result)
🤖 Discovered during the panic-attack estate sweep (2026-05-26). See hyperpolymath/panic-attack#32 for campaign tracker.
panic-attack estate sweep — Track C tracking issue
panic-attack assailflagged the findings below in this repo on 2026-05-26. They are aggregated here for human triage rather than as individual PRs because each requires judgement (supply-chain pin choice, schema-design call, mutation-test gap, etc.).PA001/PA007 UnsafeCode/UnsafeFFI findings are NOT in this list (Track A covers PA001/PA007 separately via PR #47). Findings already suppressed in
audits/assail-classifications.a2mlare also excluded.Estate tracker: hyperpolymath/panic-attack#32.
DynamicCodeExecution(4 findings)file:line list
file:line list
file:line list
file:line list
🤖 Discovered during the panic-attack estate sweep (2026-05-26). See hyperpolymath/panic-attack#32 for campaign tracker.