Skip to content

audit: classify 10 FFI unsafe findings as legitimate (PA001/PA007)#35

Merged
hyperpolymath merged 3 commits into
mainfrom
panic-fix/PA001-PA007-ffi-legitimate
May 27, 2026
Merged

audit: classify 10 FFI unsafe findings as legitimate (PA001/PA007)#35
hyperpolymath merged 3 commits into
mainfrom
panic-fix/PA001-PA007-ffi-legitimate

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 26, 2026

Summary

panic-attack assail reports 10 UnsafeCode (PA001) + UnsafeFFI (PA007) Critical/High findings under src/api/zig/ (main.zig, hyperglass_client.zig) — all at the Zig→C ABI boundary.

What changes

  • audits/assail-classifications.a2ml (10 entries, classification=legitimate-ffi)
  • audits/audit-ffi-2026-05-26.md

Same pattern as svalinn#11, proven#67, gossamer#54, docudactyl#20, proven-servers#11.

Refs hyperpolymath/panic-attack#32.

🤖 Generated with Claude Code

@hyperpolymath @claude
audit: classify 10 FFI unsafe findings as legitimate (PA001/PA007)
fd72670 
panic-attack assail flags 10 UnsafeCode/UnsafeFFI Critical/High findings
under src/api/zig/ — all at the Zig→C ABI boundary.

Adds:
- audits/assail-classifications.a2ml (10 entries, classification=legitimate-ffi)
- audits/audit-ffi-2026-05-26.md

Refs hyperpolymath/panic-attack#32.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

🔍 Hypatia Security Scan

Findings: 74 issues detected

Severity Count
🔴 Critical 7
🟠 High 47
🟡 Medium 20

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Nickel file missing SPDX-License-Identifier header (1 occurrences, CWE-1104)",
    "type": "ncl_missing_spdx",
    "file": "/home/runner/work/aerie/aerie/configs/config.ncl",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (1 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/aerie/aerie/src/api/rust/src/redis_client.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Zig @ptrCast performs unchecked pointer type conversion (3 occurrences, CWE-704)",
    "type": "zig_ptr_cast",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/smokeping_client.zig",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Zig @ptrCast performs unchecked pointer type conversion (3 occurrences, CWE-704)",
    "type": "zig_ptr_cast",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/hyperglass_client.zig",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Zig @ptrCast performs unchecked pointer type conversion (3 occurrences, CWE-704)",
    "type": "zig_ptr_cast",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/main.zig",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Zig @bitCast reinterprets bits without type checking (1 occurrences, CWE-704)",
    "type": "zig_bit_cast",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/proof.zig",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "Zig @ptrCast performs unchecked pointer type conversion (2 occurrences, CWE-704)",
    "type": "zig_ptr_cast",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/librespeed_client.zig",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Zig @ptrCast performs unchecked pointer type conversion (5 occurrences, CWE-704)",
    "type": "zig_ptr_cast",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/verisim_client.zig",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "line": 220,
    "reason": "Secret found: Generic API key",
    "type": "secret_detected",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/main.zig",
    "action": "revoke_rotate_and_purge",
    "rule_module": "security_errors",
    "severity": "critical"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath hyperpolymath mentioned this pull request May 26, 2026
Closed
@hyperpolymath hyperpolymath enabled auto-merge (squash) May 26, 2026 09:03
@hyperpolymath
ci(sweep): safedom .res→.affine
ef9e0b3 
- Replace examples/SafeDOMExample.res with the canonical
  examples/SafeDOMExample.affine (per gitbot-fleet#208 and the
  banned-ReScript anti-pattern policy).
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

🔍 Hypatia Security Scan

Findings: 74 issues detected

Severity Count
🔴 Critical 7
🟠 High 47
🟡 Medium 20

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Nickel file missing SPDX-License-Identifier header (1 occurrences, CWE-1104)",
    "type": "ncl_missing_spdx",
    "file": "/home/runner/work/aerie/aerie/configs/config.ncl",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (1 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/aerie/aerie/src/api/rust/src/redis_client.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Zig @ptrCast performs unchecked pointer type conversion (3 occurrences, CWE-704)",
    "type": "zig_ptr_cast",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/smokeping_client.zig",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Zig @ptrCast performs unchecked pointer type conversion (3 occurrences, CWE-704)",
    "type": "zig_ptr_cast",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/hyperglass_client.zig",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Zig @ptrCast performs unchecked pointer type conversion (3 occurrences, CWE-704)",
    "type": "zig_ptr_cast",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/main.zig",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Zig @bitCast reinterprets bits without type checking (1 occurrences, CWE-704)",
    "type": "zig_bit_cast",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/proof.zig",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "Zig @ptrCast performs unchecked pointer type conversion (2 occurrences, CWE-704)",
    "type": "zig_ptr_cast",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/librespeed_client.zig",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Zig @ptrCast performs unchecked pointer type conversion (5 occurrences, CWE-704)",
    "type": "zig_ptr_cast",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/verisim_client.zig",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "line": 220,
    "reason": "Secret found: Generic API key",
    "type": "secret_detected",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/main.zig",
    "action": "revoke_rotate_and_purge",
    "rule_module": "security_errors",
    "severity": "critical"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 26, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

🔍 Hypatia Security Scan

Findings: 78 issues detected

Severity Count
🔴 Critical 7
🟠 High 50
🟡 Medium 21

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Nickel file missing SPDX-License-Identifier header (1 occurrences, CWE-1104)",
    "type": "ncl_missing_spdx",
    "file": "/home/runner/work/aerie/aerie/configs/config.ncl",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (1 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/aerie/aerie/src/api/rust/src/redis_client.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Zig @ptrCast performs unchecked pointer type conversion (3 occurrences, CWE-704)",
    "type": "zig_ptr_cast",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/smokeping_client.zig",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Zig @ptrCast performs unchecked pointer type conversion (3 occurrences, CWE-704)",
    "type": "zig_ptr_cast",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/hyperglass_client.zig",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Zig @ptrCast performs unchecked pointer type conversion (3 occurrences, CWE-704)",
    "type": "zig_ptr_cast",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/main.zig",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Zig @bitCast reinterprets bits without type checking (1 occurrences, CWE-704)",
    "type": "zig_bit_cast",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/proof.zig",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "Zig @ptrCast performs unchecked pointer type conversion (2 occurrences, CWE-704)",
    "type": "zig_ptr_cast",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/librespeed_client.zig",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Zig @ptrCast performs unchecked pointer type conversion (5 occurrences, CWE-704)",
    "type": "zig_ptr_cast",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/verisim_client.zig",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "line": 220,
    "reason": "Secret found: Generic API key",
    "type": "secret_detected",
    "file": "/home/runner/work/aerie/aerie/src/api/zig/main.zig",
    "action": "revoke_rotate_and_purge",
    "rule_module": "security_errors",
    "severity": "critical"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath hyperpolymath merged commit 236290f into main May 27, 2026
13 of 15 checks passed
@hyperpolymath hyperpolymath deleted the panic-fix/PA001-PA007-ffi-legitimate branch May 27, 2026 12:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath