fix(assail): UnboundedAllocation is Medium, not Critical

.claude/CLAUDE.md

@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 # Panic Attack - Project Instructions
 
 ## Overview

.github/CODEOWNERS

@@ -0,0 +1,34 @@
+# SPDX-License-Identifier: MPL-2.0
+# CODEOWNERS - Define code review assignments for GitHub
+# See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# Default: sole maintainer for all files
+* @hyperpolymath
+
+# Security-sensitive files require explicit ownership
+SECURITY.md @hyperpolymath
+.github/workflows/ @hyperpolymath
+.machine_readable/ @hyperpolymath
+contractiles/ @hyperpolymath
+
+# License files
+LICENSE @hyperpolymath
+LICENSES/ @hyperpolymath
+
+# Configuration
+.gitignore @hyperpolymath
+.github/ @hyperpolymath
+
+# Documentation
+README* @hyperpolymath
+CONTRIBUTING* @hyperpolymath
+CODE_OF_CONDUCT* @hyperpolymath
+GOVERNANCE* @hyperpolymath
+MAINTAINERS* @hyperpolymath
+CHANGELOG* @hyperpolymath
+ROADMAP* @hyperpolymath
+
+# Build and CI
+Justfile @hyperpolymath
+Makefile @hyperpolymath
+*.sh @hyperpolymath

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 ---
 name: Bug report
 about: Create a report to help us improve

.github/ISSUE_TEMPLATE/custom.md

@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 ---
 name: Custom issue template
 about: Describe this issue template's purpose here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 ---
 name: Feature request
 about: Suggest an idea for this project

.github/copilot/coding-agent.yml

@@ -0,0 +1,6 @@
+mcp_servers:
+  boj-server:
+    command: npx
+    args: ["-y", "@hyperpolymath/boj-server@latest"]
+    env:
+      BOJ_URL: http://localhost:7700

.github/workflows/boj-build.yml

@@ -9,6 +9,7 @@ permissions:
 jobs:
   trigger-boj:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

.github/workflows/cargo-audit.yml

@@ -1,32 +1,27 @@
 # SPDX-License-Identifier: MPL-2.0
 name: Security Audit
-
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:
-    branches: [ main ]
+    branches: [main]
   schedule:
     - cron: '0 0 * * 0' # Weekly on Sunday
-
 permissions:
   contents: read
-
 jobs:
   audit:
     name: Cargo Audit
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - name: Checkout code
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable
         with:
           toolchain: stable
-
       - name: Install cargo-audit
         run: cargo install cargo-audit
-
       - name: Run cargo audit
         run: cargo audit

.github/workflows/casket-pages.yml

@@ -1,39 +1,33 @@
 # SPDX-License-Identifier: MPL-2.0
 name: GitHub Pages
-
 on:
   push:
     branches: [main, master]
   workflow_dispatch:
-
 permissions:
   contents: read
   pages: write
   id-token: write
-
 concurrency:
   group: "pages"
   cancel-in-progress: false
-
 jobs:
   build:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
-
       - name: Checkout casket-ssg
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           repository: hyperpolymath/casket-ssg
           path: .casket-ssg
-
       - name: Setup GHCup
         uses: haskell-actions/setup@ec49483bfc012387b227434aba94f59a6ecd0900 # v2
         with:
           ghc-version: '9.8.2'
           cabal-version: '3.10'
-
       - name: Cache Cabal
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
@@ -42,11 +36,9 @@ jobs:
             ~/.cabal/store
             .casket-ssg/dist-newstyle
           key: ${{ runner.os }}-casket-${{ hashFiles('.casket-ssg/casket-ssg.cabal') }}
-
       - name: Build casket-ssg
         working-directory: .casket-ssg
         run: cabal build
-
       - name: Prepare site source
         shell: bash
         run: |
@@ -89,26 +81,23 @@ jobs:
               echo "Project-specific site content can be added later under site/."
             } > .site-src/index.md
           fi
-
       - name: Build site
         run: |
           mkdir -p _site
           cd .casket-ssg && cabal run casket-ssg -- build ../.site-src ../_site
           touch ../_site/.nojekyll
-
       - name: Setup Pages
         uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
-
       - name: Upload artifact
         uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
         with:
           path: '_site'
-
   deploy:
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     needs: build
     steps:
       - name: Deploy to GitHub Pages

.github/workflows/chapel-ci.yml

@@ -32,27 +32,23 @@
 # workflow trusts the HTTPS endpoint at chapel-lang/chapel releases.
 
 name: chapel-ci
-
 on:
   push:
     branches: [main]
   pull_request:
-
 permissions:
   contents: read
-
 concurrency:
   group: chapel-ci-${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
-
 env:
   CHAPEL_VERSION: "2.8.0"
   CHAPEL_DEB_URL: "https://github.com/chapel-lang/chapel/releases/download/2.8.0/chapel-2.8.0-1.ubuntu22.amd64.deb"
-
 jobs:
   detect-relevant-changes:
     name: detect-relevant-changes
     runs-on: ubuntu-22.04
+    timeout-minutes: 15
     outputs:
       relevant: ${{ steps.f.outputs.relevant }}
     steps:
@@ -81,12 +77,12 @@ jobs:
             echo "relevant=false" >> "$GITHUB_OUTPUT"
             echo "detect: no chapel-relevant paths — gates skipped via if-guard"
           fi
-
   chapel-parse-check:
     name: chapel-parse-check
     needs: detect-relevant-changes
     if: needs.detect-relevant-changes.outputs.relevant == 'true'
     runs-on: ubuntu-22.04
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install Chapel ${{ env.CHAPEL_VERSION }}
@@ -103,12 +99,12 @@ jobs:
           set -euo pipefail
           chpl --parse-only src/MassPanic.chpl src/Protocol.chpl src/Imaging.chpl src/Temporal.chpl
           chpl --parse-only smoke/two_repo_smoke.chpl src/Protocol.chpl src/Imaging.chpl
-
   chapel-build:
     name: chapel-build
     needs: [detect-relevant-changes, chapel-parse-check]
     if: needs.detect-relevant-changes.outputs.relevant == 'true'
     runs-on: ubuntu-22.04
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install Chapel ${{ env.CHAPEL_VERSION }}
@@ -133,12 +129,12 @@ jobs:
             chapel/mass-panic
             chapel/smoke/two_repo_smoke
           retention-days: 1
-
   chapel-smoke:
     name: chapel-smoke
     needs: [detect-relevant-changes, chapel-build]
     if: needs.detect-relevant-changes.outputs.relevant == 'true'
     runs-on: ubuntu-22.04
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install Chapel ${{ env.CHAPEL_VERSION }}
@@ -157,12 +153,12 @@ jobs:
         run: chmod +x chapel/mass-panic chapel/smoke/two_repo_smoke
       - name: Run two_repo_smoke
         run: ./chapel/smoke/two_repo_smoke
-
   chapel-e2e:
     name: chapel-e2e
     needs: [detect-relevant-changes, chapel-build]
     if: needs.detect-relevant-changes.outputs.relevant == 'true'
     runs-on: ubuntu-22.04
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install Chapel ${{ env.CHAPEL_VERSION }}
@@ -193,12 +189,12 @@ jobs:
           ./chapel/mass-panic --repoDirectory="$WORK/corpus" --numLocales=1 --quiet --outputDir="$WORK/out"
           ls "$WORK/out"/system-image-*.json >/dev/null
           echo "chapel-e2e: PASS"
-
   chapel-cli-contract:
     name: chapel-cli-contract
     needs: detect-relevant-changes
     if: needs.detect-relevant-changes.outputs.relevant == 'true'
     runs-on: ubuntu-22.04
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable
@@ -213,12 +209,12 @@ jobs:
         run: cargo build --release --locked
       - name: Run contract gate
         run: ./chapel/tests/contract_check.sh
-
   chapel-rust-diff:
     name: chapel-rust-diff
     needs: [detect-relevant-changes, chapel-build]
     if: needs.detect-relevant-changes.outputs.relevant == 'true'
     runs-on: ubuntu-22.04
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable
@@ -247,7 +243,6 @@ jobs:
         run: cargo build --release --locked
       - name: rayon vs Chapel single-locale aggregate parity
         run: ./chapel/tests/rayon_vs_chapel_diff.sh
-
   # Always-on aggregator. This is the ONLY job listed in the Base ruleset's
   # required_status_checks rule. If detect-relevant-changes determined nothing
   # in this PR touches Chapel-relevant paths, the gate passes immediately
@@ -266,6 +261,7 @@ jobs:
       - chapel-rust-diff
     if: always()
     runs-on: ubuntu-22.04
+    timeout-minutes: 15
     steps:
       - name: Aggregate chapel-ci results
         env:

.github/workflows/codeql.yml

@@ -1,28 +1,25 @@
 # SPDX-License-Identifier: MPL-2.0
 name: CodeQL Security Analysis
-
 on:
   push:
     branches: [main, master]
   pull_request:
     branches: [main, master]
   schedule:
     - cron: '0 6 * * 1'
-
 # Estate guardrail: cancel superseded runs so re-pushes / rebased PR
 # updates do not pile up queued runs against the shared account-wide
 # Actions concurrency pool. Applied only to read-only check workflows
 # (no publish/mutation), so cancelling a superseded run is always safe.
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
-
 permissions:
   contents: read
-
 jobs:
   analyze:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     permissions:
       contents: read
       security-events: write
@@ -36,17 +33,14 @@ jobs:
           # supply-chain surface for this repo.
           - language: actions
             build-mode: none
-
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
       - name: Initialize CodeQL
         uses: github/codeql-action/init@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
-
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3
         with: