security: 15 Critical/High panic-attack findings need human triage (Track C)

## panic-attack estate sweep — Track C tracking issue

`panic-attack assail` flagged the findings below in this repo on 2026-05-26. They are aggregated here for human triage rather than as individual PRs because each requires judgement (supply-chain pin choice, schema-design call, mutation-test gap, etc.).

PA001/PA007 UnsafeCode/UnsafeFFI findings are NOT in this list. Findings already suppressed in `audits/assail-classifications.a2ml` are also excluded.

Estate tracker: hyperpolymath/panic-attack#32.
### `CommandInjection` (3 findings)

<details><summary>file:line list</summary>

```Critical  config/validate.sh:?  eval usage in config/validate.sh
Critical  tests/ai-isolation/network-tests/container_escape_test.sh:?  eval usage in tests/ai-isolation/network-tests/container_escape_test.sh
Critical  scripts/install/install.sh:?  eval usage in scripts/install/install.sh
```
</details>
### `DynamicCodeExecution` (1 findings)

<details><summary>file:line list</summary>

```High  examples/demos/web-ui/app.js:?  DOM manipulation (innerHTML/document.write) in examples/demos/web-ui/app.js
```
</details>
### `HardcodedSecret` (7 findings)

<details><summary>file:line list</summary>

```Critical  monitoring/healthchecks/healthcheck.sh:?  Possible hardcoded secret in monitoring/healthchecks/healthcheck.sh
Critical  monitoring/scripts/backup_dashboards.sh:?  Possible hardcoded secret in monitoring/scripts/backup_dashboards.sh
Critical  scripts/management/uninstall.sh:?  Possible hardcoded secret in scripts/management/uninstall.sh
Critical  scripts/management/backup.sh:?  Possible hardcoded secret in scripts/management/backup.sh
Critical  scripts/management/init-database.sh:?  Possible hardcoded secret in scripts/management/init-database.sh
Critical  scripts/management/update.sh:?  Possible hardcoded secret in scripts/management/update.sh
Critical  scripts/management/health-check.sh:?  Possible hardcoded secret in scripts/management/health-check.sh
```
</details>
### `SupplyChain` (1 findings)

<details><summary>file:line list</summary>

```High  flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in flake.nix
```
</details>
### `UnboundedAllocation` (3 findings)

<details><summary>file:line list</summary>

```Critical  cli/src/commands/feedback.rs:?  Potential unbounded allocation pattern detected in cli/src/commands/feedback.rs
Critical  cli/src/commands/sync.rs:?  Potential unbounded allocation pattern detected in cli/src/commands/sync.rs
Critical  cli/src/config.rs:?  Potential unbounded allocation pattern detected in cli/src/config.rs
```
</details>

---

🤖 Discovered during the panic-attack estate sweep (2026-05-26). See hyperpolymath/panic-attack#32 for campaign tracker.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

security: 15 Critical/High panic-attack findings need human triage (Track C) #201

panic-attack estate sweep — Track C tracking issue

`CommandInjection` (3 findings)

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

security: 15 Critical/High panic-attack findings need human triage (Track C) #201

Description

panic-attack estate sweep — Track C tracking issue

CommandInjection (3 findings)

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions

`CommandInjection` (3 findings)