security: 2026-06-01 panic-attack re-sweep — 12 new High findings + 4 false-positive classifications needed (Track C, post-#104)

[hyperpolymath]

panic-attack 2026-06-01 re-sweep — Track C tracker

Re-ran `panic-attack assail` (v2.5.0) on this repo on 2026-06-01. The Critical-tier finding is fixed in #176 (auto-merge armed). The remaining High/Medium findings need human triage — most should be added to `reports/audits/assail-classifications.a2ml` rather than code-fixed.

Cross-reference: estate tracker hyperpolymath/panic-attack#32; prior triage tracker #104 (CLOSED via #145 + #176).

Already-suppressed (no action — listed for sanity)

These appear in the report but are already classified in `reports/audits/assail-classifications.a2ml`:

• `src/rust/ffi/mod.rs` (UnsafeCode + ResourceLeak)
• `src/rust/ffi/spark_axiom.rs` (UnsafeCode)
• `src/rust/proof_search.rs` (UnsafeCode + raw-pointer cast)
• `src/interfaces/{graphql,grpc,rest}/ffi_wrapper.rs` (UnsafeCode + raw-pointer cast)
• `src/rust/provers/z3.rs` (PanicPath)
• `src/rust/fault_tolerance/resilience.rs` (PanicPath)
• `proofs/agda/{Basic,SoundnessPreservation}.agda` (ProofDrift)

NEW post-#104 High findings — classification recommended

These are post-#104 FFI additions. Same pattern as already-classified ffi/mod.rs etc. — recommend adding entries to `assail-classifications.a2ml` with audit cross-refs.

Severity	Category	File	Description
High	UnsafeCode	`src/rust/coprocessor/flint.rs`	17 unsafe blocks — FLINT C bigint FFI
High	UnsafeFFI	`src/zig/ffi/axiom_spark_bridge.zig`	1 C interop import
High	UnsafeFFI	`src/zig_ffi/chapel_bridge.zig`	1 C interop import
High	UnsafeCode	`ffi/zig/src/boj.zig`	1 unsafe pointer cast
High	UnsafeCode	`ffi/zig/src/overlay.zig`	1 unsafe pointer cast
High	UnsafeCode	`ffi/zig/src/typell.zig`	1 unsafe pointer cast

Recommended: extend `audits/audit-ffi-boundary.md` with §s 9-11 covering FLINT, Zig FFI bridges, and `ffi/zig/src/` overlay layer, then add 6 classification entries.

Medium findings — likely false positives / classification recommended

Severity	Category	File	Why FP-likely
Medium	InsecureProtocol	`echidna-playground/src/Page.res:155`	XHTML namespace URI `http://www.w3.org/1999/xhtml\` — canonical, not network
Medium	InsecureProtocol	`src/rust/provers/elk.rs:78-79`	OWL Ontology IRI `http://echidna.example/ontology\` — canonical, not network
Medium	InsecureProtocol	`src/rust/provers/konclude.rs:75-76`	Same as elk.rs — OWL ontology IRI
Medium	PanicPath	`src/provers/runners/Cli.res`	9 `unsafeGet` — being replaced by AffineScript port per #117
Medium	PanicPath	`tests/agentic_integration.rs`	Test code; panics OK
Medium	PanicPath	`tests/sanity_suite.rs`	Test code; panics OK
Medium	InputBoundary	`tests/julia/gnn_rank_smoke.jl`	Test smoke fixture; brittle-by-design
Medium	SupplyChain	`deno.json`	The flagged entry is the local import `@echidna/provers` → `./src/provers/mod.ts`; `@std/` is pinned to `0.224.0`; appears to be a panic-attack false positive on local paths
Medium	PathTraversal	`scripts/balance_corpus.sh`	Uses `/tmp/corpus_files.txt`; build-artifact tmp, low risk — recommend `mktemp` for hygiene
Medium	PathTraversal	`scripts/balance_corpus_fast.sh`	Same
Medium	PathTraversal	`scripts/gen-provers-a2ml.sh`	Uses `/tmp/provers-list.txt`; same — recommend `mktemp`
Low	MutationGap	`Cargo.toml`	Recommend adding `.cargo-mutants.toml` — independent debt item

The 3 `PathTraversal` script findings are the only ones with a small code-fix angle (swap `/tmp/foo` → `mktemp`). Could be one trivial PR if you want.

Suggested closure path

1. fix(security): bound load_octads_jsonl read — panic-attack Critical resurfaced (Refs #104) #176 merges → Critical = 0
2. Author adds the 6 High-FFI entries to `assail-classifications.a2ml` + audit-ffi-boundary.md §§9-11
3. Optionally: 1 small PR to swap `/tmp/` → `mktemp` in the 3 scripts (trivially-fixable)
4. Then this issue closes "no Critical/High actionable after classification update; Cli.res tracked under echidna: Client.res AffineScript-TEA port — missing primitives (Http/Promise/Json/Dict) [meta] #117"

🤖 Discovered during the panic-attack estate sweep (2026-06-01). See hyperpolymath/panic-attack#32 for campaign tracker.