feat(bridge): cohort overrides for vendored-pin (#74) + Dioxus/GTK transitive (#75)

Bridge classifier still produces the three-way Mitigable/Unmitigable/
Informational output, but now distinguishes two further cases inside
the Informational tier so the suggested action matches reality:

PhantomDeclared cohort override (closes #74 in part):
- New `is_build_script_only_or_vendored_pin(name)` predicate covers
  pkg-config, cc, bindgen, cmake, autocfg, vcpkg, winres,
  embed-resource, openssl-src.
- When a phantom-declared crate matches, the action flips from
  "Strip from Cargo.toml" to "DO NOT STRIP — load-bearing via build.rs
  side-effects or native-lib linkage". Same Informational class,
  different recommendation. Stops `cargo machete --fix` from breaking
  cross-compile TLS / native-lib resolution.
- Feature-based detection (e.g. openssl-sys with `vendored` feature)
  remains future work — it needs feature-set plumbing into evidence
  that the bridge doesn't have today.

PhantomTransitive cohort override (closes #75):
- New `is_dioxus_gui_parent(parent)` matches wry, dioxus-desktop,
  dioxus.
- New `is_gtk_webkit_family(name)` matches the atk*/gdk*/gtk*/glib/
  gio*/gobject-sys/gtk3-macros/proc-macro-error/paste/fxhash/
  webkit2gtk* surface observed in presswerk.
- When (parent is Dioxus GUI) AND (crate is GTK/webkit family), emit
  the Cohort E-2 message naming the no-local-fix path + tracker.
- printpdf+kuchiki sub-rule covers the printpdf-internal HTML→PDF
  parser path.

Five new regression tests in `bridge::classify::tests` (14 total in
the module). Full lib suite: 343 passed.

Also restores the test module corruption in src/assail/analyzer.rs:
the squash-merge sequence for PRs #71 / #77 (refile of #72) / #73
left the file with an unclosed delimiter at line 7962 (count_julia_dce
helper had flake_findings body, julia_ext_jl_dce_is_exempt was missing
its closing braces, two flake tests landed inside the Julia section).
Reassembles each section in its intended location; no test logic
changed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

src/assail/analyzer.rs

@@ -7794,11 +7794,6 @@ pub fn safe_get_x() -> Option<String> {
     // ---------------------------------------------------------------
 
     fn count_julia_dce(content: &str, file_path: &str) -> usize {
-    // flake.nix SupplyChain severity (downgrade to Low when fix is
-    // trivially mechanical — generate flake.lock).
-    // ---------------------------------------------------------------
-
-    fn flake_findings(content: &str, file_path: &str) -> Vec<WeakPoint> {
         let analyzer = Analyzer::new(std::path::Path::new(".")).expect("analyzer construction");
         let mut stats = ProgramStatistics::default();
         let mut wp = Vec::new();
@@ -7817,47 +7812,6 @@ pub fn safe_get_x() -> Option<String> {
             count_julia_dce(src, "FooExt.jl"),
             0,
             "*Ext.jl files use eval/Meta.parse idiomatically — must be exempt"
-            .analyze_config(content, &mut stats, &mut wp, file_path)
-            .expect("analyze_config");
-        wp.into_iter()
-            .filter(|w| matches!(w.category, WeakPointCategory::SupplyChain))
-            .collect()
-    }
-
-    #[test]
-    fn flake_without_lock_is_low_severity() {
-        let src = r#"{
-            inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-            outputs = { self, nixpkgs }: { };
-        }"#;
-        // Use a path that does NOT have a sibling flake.lock in the working dir.
-        let findings = flake_findings(src, "/nonexistent/dir/flake.nix");
-        assert_eq!(findings.len(), 1, "unpinned flake.nix must produce one finding");
-        assert!(
-            matches!(findings[0].severity, Severity::Low),
-            "missing flake.lock alone is mechanically fixable — must be Low severity, got {:?}",
-            findings[0].severity
-        );
-        assert!(
-            findings[0].description.contains("nix flake update"),
-            "description must point at the fix command"
-        );
-    }
-
-    #[test]
-    fn flake_with_narhash_has_no_finding() {
-        let src = r#"{
-            inputs.nixpkgs = {
-                url = "github:NixOS/nixpkgs/nixos-unstable";
-                narHash = "sha256-...";
-            };
-            outputs = { self, nixpkgs }: { };
-        }"#;
-        let findings = flake_findings(src, "/nonexistent/dir/flake.nix");
-        assert_eq!(
-            findings.len(),
-            0,
-            "flake.nix with inline narHash must NOT produce a SupplyChain finding"
         );
     }
 
@@ -7880,6 +7834,10 @@ pub fn safe_get_x() -> Option<String> {
         assert!(
             count_julia_dce(src, "src/dangerous.jl") > 0,
             "non-extension Julia files must still flag eval()"
+        );
+    }
+
+    // ---------------------------------------------------------------
     // Vendored-snapshot directory skip
     // ---------------------------------------------------------------
 
@@ -7944,6 +7902,65 @@ pub fn safe_get_x() -> Option<String> {
                 .iter()
                 .any(|p| p.to_string_lossy().contains("rescript-ecosystem")),
             "rescript-ecosystem vendored snapshot must be skipped"
+        );
+    }
+
+    // ---------------------------------------------------------------
+    // flake.nix SupplyChain severity (downgrade to Low when fix is
+    // trivially mechanical — generate flake.lock). Restored 2026-05-27
+    // after the squash-merge of #77 (refile of #72) collided with #73
+    // and silently dropped the helper + first two tests.
+    // ---------------------------------------------------------------
+
+    fn flake_findings(content: &str, file_path: &str) -> Vec<WeakPoint> {
+        let analyzer = Analyzer::new(std::path::Path::new(".")).expect("analyzer construction");
+        let mut stats = ProgramStatistics::default();
+        let mut wp = Vec::new();
+        analyzer
+            .analyze_config(content, &mut stats, &mut wp, file_path)
+            .expect("analyze_config");
+        wp.into_iter()
+            .filter(|w| matches!(w.category, WeakPointCategory::SupplyChain))
+            .collect()
+    }
+
+    #[test]
+    fn flake_without_lock_is_low_severity() {
+        let src = r#"{
+            inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+            outputs = { self, nixpkgs }: { };
+        }"#;
+        let findings = flake_findings(src, "/nonexistent/dir/flake.nix");
+        assert_eq!(findings.len(), 1, "unpinned flake.nix must produce one finding");
+        assert!(
+            matches!(findings[0].severity, Severity::Low),
+            "missing flake.lock alone is mechanically fixable — must be Low severity, got {:?}",
+            findings[0].severity
+        );
+        assert!(
+            findings[0].description.contains("nix flake update"),
+            "description must point at the fix command"
+        );
+    }
+
+    #[test]
+    fn flake_with_narhash_has_no_finding() {
+        let src = r#"{
+            inputs.nixpkgs = {
+                url = "github:NixOS/nixpkgs/nixos-unstable";
+                narHash = "sha256-...";
+            };
+            outputs = { self, nixpkgs }: { };
+        }"#;
+        let findings = flake_findings(src, "/nonexistent/dir/flake.nix");
+        assert_eq!(
+            findings.len(),
+            0,
+            "flake.nix with inline narHash must NOT produce a SupplyChain finding"
+        );
+    }
+
+    #[test]
     fn flake_with_rev_pins_has_no_finding() {
         let src = r#"{
             inputs.nixpkgs = {