security: 37 Critical/High panic-attack findings need human triage (Track C)

## panic-attack estate sweep — Track C tracking issue

`panic-attack assail` flagged the findings below in this repo on 2026-05-26. They are aggregated here for human triage rather than as individual PRs because each requires judgement (supply-chain pin choice, schema-design call, mutation-test gap, etc.).

PA001/PA007 UnsafeCode/UnsafeFFI findings are NOT in this list. Findings already suppressed in `audits/assail-classifications.a2ml` are also excluded.

Estate tracker: hyperpolymath/panic-attack#32.
### `DynamicCodeExecution` (5 findings)

<details><summary>file:line list</summary>

```High  stateful-artefacts/dashboard/js/dashboard.js:?  DOM manipulation (innerHTML/document.write) in stateful-artefacts/dashboard/js/dashboard.js
High  stateful-artefacts/browser-extension/scripts/popup.js:?  DOM manipulation (innerHTML/document.write) in stateful-artefacts/browser-extension/scripts/popup.js
High  stateful-artefacts/browser-extension/scripts/content.js:?  DOM manipulation (innerHTML/document.write) in stateful-artefacts/browser-extension/scripts/content.js
High  stateful-artefacts/annotation-layer/annotations.js:?  DOM manipulation (innerHTML/document.write) in stateful-artefacts/annotation-layer/annotations.js
High  web/app.js:?  DOM manipulation (innerHTML/document.write) in web/app.js
```
</details>
### `HardcodedSecret` (2 findings)

<details><summary>file:line list</summary>

```Critical  bitfuckit/src/syncthing_sync.adb:?  Possible hardcoded secret in bitfuckit/src/syncthing_sync.adb
Critical  scaffoldia/registry/elixir/phoenix-service.ncl:?  Possible hardcoded secret in scaffoldia/registry/elixir/phoenix-service.ncl
```
</details>
### `SupplyChain` (5 findings)

<details><summary>file:line list</summary>

```High  flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in flake.nix
High  rpa-elysium/flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in rpa-elysium/fla
High  bitfuckit/flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in bitfuckit/flake
High  bitfuckit/packaging/flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in bitfuckit/packa
High  tools/hud/flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in tools/hud/flake
```
</details>
### `UnboundedAllocation` (24 findings)

<details><summary>file:line list</summary>

```Critical  src/graph.rs:?  Potential unbounded allocation pattern detected in src/graph.rs
Critical  src/scanner.rs:?  Potential unbounded allocation pattern detected in src/scanner.rs
Critical  rpa-elysium/crates/rpa-fs-workflow/src/actions/archive.rs:?  Potential unbounded allocation pattern detected in rpa-elysium/crates/rpa-fs-workflow/src/actions/archive.rs
Critical  rpa-elysium/crates/rpa-config/src/loader.rs:?  Potential unbounded allocation pattern detected in rpa-elysium/crates/rpa-config/src/loader.rs
Critical  git-morph/src/template.rs:?  Potential unbounded allocation pattern detected in git-morph/src/template.rs
Critical  git-morph/src/manifest.rs:?  Potential unbounded allocation pattern detected in git-morph/src/manifest.rs
Critical  git-morph/src/inflate.rs:?  Potential unbounded allocation pattern detected in git-morph/src/inflate.rs
Critical  tools/rsr-certified/engine/src/compliance/rhodium.rs:?  Potential unbounded allocation pattern detected in tools/rsr-certified/engine/src/compliance/rhodium.rs
Critical  tools/rsr-certified/engine/src/compliance/bronze.rs:?  Potential unbounded allocation pattern detected in tools/rsr-certified/engine/src/compliance/bronze.rs
Critical  tools/rsr-certified/engine/src/compliance/gold.rs:?  Potential unbounded allocation pattern detected in tools/rsr-certified/engine/src/compliance/gold.rs
Critical  tools/rsr-certified/engine/src/compliance/silver.rs:?  Potential unbounded allocation pattern detected in tools/rsr-certified/engine/src/compliance/silver.rs
Critical  tools/merge-resolver/src/lib.rs:?  Potential unbounded allocation pattern detected in tools/merge-resolver/src/lib.rs
Critical  tools/merge-resolver/src/verify.rs:?  Potential unbounded allocation pattern detected in tools/merge-resolver/src/verify.rs
Critical  contractiles/cli/crates/contractile-core/src/toml_compat.rs:?  Potential unbounded allocation pattern detected in contractiles/cli/crates/contractile-core/src/toml_compat.rs
Critical  contractiles/cli/crates/contractile-core/src/just_emitter.rs:?  Potential unbounded allocation pattern detected in contractiles/cli/crates/contractile-core/src/just_emitter.rs
Critical  contractiles/cli/crates/contractile/src/must.rs:?  Potential unbounded allocation pattern detected in contractiles/cli/crates/contractile/src/must.rs
Critical  contractiles/cli/crates/contractile/src/dust.rs:?  Potential unbounded allocation pattern detected in contractiles/cli/crates/contractile/src/dust.rs
Critical  contractiles/cli/crates/contractile/src/init.rs:?  Potential unbounded allocation pattern detected in contractiles/cli/crates/contractile/src/init.rs
Critical  contractiles/cli/crates/contractile/src/intend.rs:?  Potential unbounded allocation pattern detected in contractiles/cli/crates/contractile/src/intend.rs
Critical  contractiles/cli/crates/contractile/src/status.rs:?  Potential unbounded allocation pattern detected in contractiles/cli/crates/contractile/src/status.rs
Critical  contractiles/cli/crates/contractile/src/trust.rs:?  Potential unbounded allocation pattern detected in contractiles/cli/crates/contractile/src/trust.rs
Critical  contractiles/runners/must/src/state.rs:?  Potential unbounded allocation pattern detected in contractiles/runners/must/src/state.rs
Critical  git-seo/src/main.rs:?  Potential unbounded allocation pattern detected in git-seo/src/main.rs
Critical  forge-ops/src-tauri/src/forgeops/config.rs:?  Potential unbounded allocation pattern detected in forge-ops/src-tauri/src/forgeops/config.rs
```
</details>
### `UnsafeDeserialization` (1 findings)

<details><summary>file:line list</summary>

```High  forge-ops/src/core/ForgeOpsEngine.res:?  1 JSON.parseExn calls in forge-ops/src/core/ForgeOpsEngine.res (use JSON.parse for safe Result)
```
</details>

---

🤖 Discovered during the panic-attack estate sweep (2026-05-26). See hyperpolymath/panic-attack#32 for campaign tracker.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

security: 37 Critical/High panic-attack findings need human triage (Track C) #68

panic-attack estate sweep — Track C tracking issue

`DynamicCodeExecution` (5 findings)

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

security: 37 Critical/High panic-attack findings need human triage (Track C) #68

Description

panic-attack estate sweep — Track C tracking issue

DynamicCodeExecution (5 findings)

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions

`DynamicCodeExecution` (5 findings)