panic-attack estate sweep — Track C tracking issue
panic-attack assail flagged the findings below in this repo on 2026-05-26. They are aggregated here for human triage rather than as individual PRs because each requires judgement (supply-chain pin choice, schema-design call, mutation-test gap, etc.).
PA001/PA007 UnsafeCode/UnsafeFFI findings are NOT in this list (Track A covers PA001/PA007 separately via PR #11 + #12). Findings already suppressed in audits/assail-classifications.a2ml are also excluded.
Estate tracker: hyperpolymath/panic-attack#32.
CryptoMisuse (12 findings)
file:line list
Critical src/tests/IntegrationTests.test.ts:? jose decodeJwt() without jwtVerify() in src/tests/IntegrationTests.test.ts — decodeJwt() does not verify the signature; use jwtVer
Critical src/tests/PropertyTests.test.ts:? jose decodeJwt() without jwtVerify() in src/tests/PropertyTests.test.ts — decodeJwt() does not verify the signature; use jwtVerify
Critical src/tests/AuthTest.res.mjs:? jose decodeJwt() without jwtVerify() in src/tests/AuthTest.res.mjs — decodeJwt() does not verify the signature; use jwtVerify() in
Critical src/tests/AuthSecurityTest.res.mjs:? jose decodeJwt() without jwtVerify() in src/tests/AuthSecurityTest.res.mjs — decodeJwt() does not verify the signature; use jwtVer
Critical src/auth/AuthMiddleware.res.mjs:? jose decodeJwt() without jwtVerify() in src/auth/AuthMiddleware.res.mjs — decodeJwt() does not verify the signature; use jwtVerify
Critical src/auth/Jwt.res.mjs:? jose decodeJwt() without jwtVerify() in src/auth/Jwt.res.mjs — decodeJwt() does not verify the signature; use jwtVerify() instead
Critical src/lib/bs/tests/AuthTest.res.mjs:? jose decodeJwt() without jwtVerify() in src/lib/bs/tests/AuthTest.res.mjs — decodeJwt() does not verify the signature; use jwtVeri
Critical src/lib/bs/tests/AuthSecurityTest.res.mjs:? jose decodeJwt() without jwtVerify() in src/lib/bs/tests/AuthSecurityTest.res.mjs — decodeJwt() does not verify the signature; use
Critical src/lib/bs/auth/AuthMiddleware.res.mjs:? jose decodeJwt() without jwtVerify() in src/lib/bs/auth/AuthMiddleware.res.mjs — decodeJwt() does not verify the signature; use jw
Critical src/lib/bs/auth/Jwt.res.mjs:? jose decodeJwt() without jwtVerify() in src/lib/bs/auth/Jwt.res.mjs — decodeJwt() does not verify the signature; use jwtVerify() i
Critical tests/bench/gateway_bench.js:? jose decodeJwt() without jwtVerify() in tests/bench/gateway_bench.js — decodeJwt() does not verify the signature; use jwtVerify()
### `SupplyChain` (1 findings)
file:line list
### `UnsafeDeserialization` (6 findings)
file:line list
High src/policy/PolicyStore.res:? 1 JSON.parseExn calls in src/policy/PolicyStore.res (use JSON.parse for safe Result)
High src/lib/bs/auth/Jwt.res:? 1 JSON.parseExn calls in src/lib/bs/auth/Jwt.res (use JSON.parse for safe Result)
High src/lib/bs/policy/PolicyStore.res:? 1 JSON.parseExn calls in src/lib/bs/policy/PolicyStore.res (use JSON.parse for safe Result)
High src/lib/ocaml/Jwt.res:? 1 JSON.parseExn calls in src/lib/ocaml/Jwt.res (use JSON.parse for safe Result)
High src/lib/ocaml/PolicyStore.res:? 1 JSON.parseExn calls in src/lib/ocaml/PolicyStore.res (use JSON.parse for safe Result)
🤖 Discovered during the panic-attack estate sweep (2026-05-26). See hyperpolymath/panic-attack#32 for campaign tracker.
panic-attack estate sweep — Track C tracking issue
panic-attack assailflagged the findings below in this repo on 2026-05-26. They are aggregated here for human triage rather than as individual PRs because each requires judgement (supply-chain pin choice, schema-design call, mutation-test gap, etc.).PA001/PA007 UnsafeCode/UnsafeFFI findings are NOT in this list (Track A covers PA001/PA007 separately via PR #11 + #12). Findings already suppressed in
audits/assail-classifications.a2mlare also excluded.Estate tracker: hyperpolymath/panic-attack#32.
CryptoMisuse(12 findings)file:line list
file:line list
file:line list
🤖 Discovered during the panic-attack estate sweep (2026-05-26). See hyperpolymath/panic-attack#32 for campaign tracker.