security: 39 Critical/High panic-attack findings need human triage (Track C)

## panic-attack estate sweep — Track C tracking issue

`panic-attack assail` flagged the findings below in this repo on 2026-05-26. They are aggregated here for human triage rather than as individual PRs because each requires judgement (supply-chain pin choice, schema-design call, mutation-test gap, etc.).

PA001/PA007 UnsafeCode/UnsafeFFI findings are NOT in this list. Findings already suppressed in `audits/assail-classifications.a2ml` are also excluded.

Estate tracker: hyperpolymath/panic-attack#32.
### `CommandInjection` (6 findings)

<details><summary>file:line list</summary>

```Critical  rhodium-standard-repositories/rsr-audit.sh:?  eval usage in rhodium-standard-repositories/rsr-audit.sh
Critical  rhodium-standard-repositories/satellites/palimpsest-license/bof-meetings/presentations/demo-http-headers.sh:?  eval usage in rhodium-standard-repositories/satellites/palimpsest-license/bof-meetings/presentations/demo-http-headers.sh
Critical  rhodium-standard-repositories/satellites/palimpsest-license/bof-meetings/presentations/demo-dns-discovery.sh:?  eval usage in rhodium-standard-repositories/satellites/palimpsest-license/bof-meetings/presentations/demo-dns-discovery.sh
Critical  k9-svc/benchmarks/k9-bench.sh:?  eval usage in k9-svc/benchmarks/k9-bench.sh
Critical  a2ml/benchmarks/parser-bench.sh:?  eval usage in a2ml/benchmarks/parser-bench.sh
High  a2ml/pandoc/a2ml-filter.lua:?  os.execute/io.popen in a2ml/pandoc/a2ml-filter.lua
```
</details>
### `DynamicCodeExecution` (2 findings)

<details><summary>file:line list</summary>

```High  axel-protocol/src/Tea.res.js:?  DOM manipulation (innerHTML/document.write) in axel-protocol/src/Tea.res.js
High  avow-protocol/public/demo.js:?  DOM manipulation (innerHTML/document.write) in avow-protocol/public/demo.js
```
</details>
### `SupplyChain` (16 findings)

<details><summary>file:line list</summary>

```High  rhodium-standard-repositories/flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in rhodium-standar
High  rhodium-standard-repositories/examples/rhodium-minimal/flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in rhodium-standar
High  flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in flake.nix
High  k9-svc/flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in k9-svc/flake.ni
High  k9-svc/actions/validate/flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in k9-svc/actions/
High  k9-svc/editors/vscode/flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in k9-svc/editors/
High  k9-svc/pandoc/flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in k9-svc/pandoc/f
High  k9-svc/bindings/deno/flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in k9-svc/bindings
High  k9-svc/bindings/rust/flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in k9-svc/bindings
High  k9-svc/bindings/haskell/flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in k9-svc/bindings
High  a2ml/actions/validate/flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in a2ml/actions/va
High  a2ml/editors/vscode/flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in a2ml/editors/vs
High  a2ml/pandoc/flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in a2ml/pandoc/fla
High  a2ml/bindings/deno/flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in a2ml/bindings/d
High  a2ml/bindings/rust/flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in a2ml/bindings/r
High  a2ml/bindings/haskell/flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in a2ml/bindings/h
```
</details>
### `UnboundedAllocation` (15 findings)

<details><summary>file:line list</summary>

```Critical  rhodium-standard-repositories/satellites/rsr-certifier/engine/src/compliance/rhodium.rs:?  Potential unbounded allocation pattern detected in rhodium-standard-repositories/satellites/rsr-certifier/engine/src/compliance/rh
Critical  rhodium-standard-repositories/satellites/rsr-certifier/engine/src/compliance/bronze.rs:?  Potential unbounded allocation pattern detected in rhodium-standard-repositories/satellites/rsr-certifier/engine/src/compliance/br
Critical  rhodium-standard-repositories/satellites/rsr-certifier/engine/src/compliance/gold.rs:?  Potential unbounded allocation pattern detected in rhodium-standard-repositories/satellites/rsr-certifier/engine/src/compliance/go
Critical  rhodium-standard-repositories/satellites/rsr-certifier/engine/src/compliance/silver.rs:?  Potential unbounded allocation pattern detected in rhodium-standard-repositories/satellites/rsr-certifier/engine/src/compliance/si
Critical  0-ai-gatekeeper-protocol/repo-guardian-fs/src/manifest.rs:?  Potential unbounded allocation pattern detected in 0-ai-gatekeeper-protocol/repo-guardian-fs/src/manifest.rs
Critical  inline-annotations/extractor/src/main.rs:?  Potential unbounded allocation pattern detected in inline-annotations/extractor/src/main.rs
Critical  groove-protocol/cli/src/probe.rs:?  Potential unbounded allocation pattern detected in groove-protocol/cli/src/probe.rs
Critical  groove-protocol/cli/src/validate.rs:?  Potential unbounded allocation pattern detected in groove-protocol/cli/src/validate.rs
Critical  groove-protocol/cli/src/detect.rs:?  Potential unbounded allocation pattern detected in groove-protocol/cli/src/detect.rs
Critical  k9-svc/tools/src/k9-validate/src/main.rs:?  Potential unbounded allocation pattern detected in k9-svc/tools/src/k9-validate/src/main.rs
Critical  k9-svc/tools/src/k9-sign/src/main.rs:?  Potential unbounded allocation pattern detected in k9-svc/tools/src/k9-sign/src/main.rs
Critical  k9-svc/k9-sign/src/main.rs:?  Potential unbounded allocation pattern detected in k9-svc/k9-sign/src/main.rs
Critical  k9-svc/bindings/rust/src/parser.rs:?  Potential unbounded allocation pattern detected in k9-svc/bindings/rust/src/parser.rs
Critical  hooks/playbook-to-recipe/src/main.rs:?  Potential unbounded allocation pattern detected in hooks/playbook-to-recipe/src/main.rs
Critical  k9-coordination-protocol/tools/k9-init/src/main.rs:?  Potential unbounded allocation pattern detected in k9-coordination-protocol/tools/k9-init/src/main.rs
```
</details>

---

🤖 Discovered during the panic-attack estate sweep (2026-05-26). See hyperpolymath/panic-attack#32 for campaign tracker.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

security: 39 Critical/High panic-attack findings need human triage (Track C) #178

panic-attack estate sweep — Track C tracking issue

`CommandInjection` (6 findings)

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

security: 39 Critical/High panic-attack findings need human triage (Track C) #178

Description

panic-attack estate sweep — Track C tracking issue

CommandInjection (6 findings)

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions

`CommandInjection` (6 findings)