feat(bridge): cohort overrides for vendored-pin (#74) + Dioxus/GTK transitive (#75) (#78)

## Summary

Two layered refinements on top of #76 (phantom-declared /
phantom-transitive split). Same three-way
Mitigable/Unmitigable/Informational output, but the Informational tier
now produces an accurate \`action\` field for two cohorts where the
generic message was misleading.

Closes #74 in part (build-script-only /
vendored-pin name-list portion).
Closes #75.

## Cohort E-3 — build-script-only / vendored-pin (#74, partial)

A naive \`cargo machete --fix\` strip of certain phantom-declared crates
breaks the build inscrutably (cross-compile TLS, native-lib resolution,
build-time codegen). New \`is_build_script_only_or_vendored_pin(name)\`
predicate covers crates that **have no \`use\` site by design**:

- Build-script side-effect crates: \`pkg-config\`, \`cc\`, \`bindgen\`,
\`cmake\`, \`autocfg\`, \`vcpkg\`, \`winres\`, \`embed-resource\`
- Canonical vendored-pin: \`openssl-src\`

When a phantom-declared crate matches, the action flips from \"Strip
from Cargo.toml\" to \"DO NOT STRIP — load-bearing via build.rs
side-effects or native-lib linkage\".

**Future follow-up**: feature-based detection (e.g. \`openssl-sys = {
features = [\"vendored\"] }\`) needs feature-set plumbing through
\`ReachabilityEvidence\` — left out of scope.

## Cohort E-2 — Dioxus/GTK transitive (#75)

Phantom-transitive advisories where the parent is in the Dioxus desktop
family (\`wry\`, \`dioxus-desktop\`, \`dioxus\`) and the affected crate
is in the GTK/webkit family now get a Cohort E-2 message naming the
no-local-fix path (wait for parent release, or swap the desktop
renderer). Sub-rule covers \`printpdf\`→\`kuchiki\`.

GTK/webkit family matched: \`atk*\`, \`gdk*\`, \`gtk*\`, \`glib\`,
\`glib-sys\`, \`gio\`, \`gio-sys\`, \`gobject-sys\`, \`gtk3-macros\`,
\`proc-macro-error\`, \`paste\`, \`fxhash\`, \`webkit2gtk\`,
\`webkit2gtk-sys\`.

## Bonus repair: src/assail/analyzer.rs test-module corruption

The squash-merge sequence of PRs #71 (Julia) → #77 (refile of #72
vendored-snapshot) → #73 (flake.lock) left \`src/assail/analyzer.rs\`
with an unclosed-delimiter at line 7962:

- \`count_julia_dce\` had \`flake_findings\` body
- \`julia_ext_jl_dce_is_exempt\` was missing closing braces
- Two flake tests (\`flake_without_lock_is_low_severity\`,
\`flake_with_narhash_has_no_finding\`) had landed inside the Julia
section

\`cargo test --lib\` was failing to compile on main as a result. This PR
reassembles each section in its intended location; no test logic
changed.

## Test plan

- [x] \`cargo test --features http --lib bridge::classify::\` — 14/14
pass (5 new + 9 existing)
- [x] \`cargo test --features http --lib\` — 343 lib tests pass (was
previously failing to compile)
- [x] \`cargo check --features http\` — green

## Changes

- \`src/bridge/classify.rs\`: +268 / -29 lines (3 predicate fns + 2
cohort override branches + 5 regression tests)
- \`src/assail/analyzer.rs\`: +/-109 lines, net wash (reassemble
corrupted test sections)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

src/assail/analyzer.rs

@@ -7794,11 +7794,6 @@ pub fn safe_get_x() -> Option<String> {
     // ---------------------------------------------------------------
 
     fn count_julia_dce(content: &str, file_path: &str) -> usize {
-    // flake.nix SupplyChain severity (downgrade to Low when fix is
-    // trivially mechanical — generate flake.lock).
-    // ---------------------------------------------------------------
-
-    fn flake_findings(content: &str, file_path: &str) -> Vec<WeakPoint> {
         let analyzer = Analyzer::new(std::path::Path::new(".")).expect("analyzer construction");
         let mut stats = ProgramStatistics::default();
         let mut wp = Vec::new();
@@ -7817,47 +7812,6 @@ pub fn safe_get_x() -> Option<String> {
             count_julia_dce(src, "FooExt.jl"),
             0,
             "*Ext.jl files use eval/Meta.parse idiomatically — must be exempt"
-            .analyze_config(content, &mut stats, &mut wp, file_path)
-            .expect("analyze_config");
-        wp.into_iter()
-            .filter(|w| matches!(w.category, WeakPointCategory::SupplyChain))
-            .collect()
-    }
-
-    #[test]
-    fn flake_without_lock_is_low_severity() {
-        let src = r#"{
-            inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-            outputs = { self, nixpkgs }: { };
-        }"#;
-        // Use a path that does NOT have a sibling flake.lock in the working dir.
-        let findings = flake_findings(src, "/nonexistent/dir/flake.nix");
-        assert_eq!(findings.len(), 1, "unpinned flake.nix must produce one finding");
-        assert!(
-            matches!(findings[0].severity, Severity::Low),
-            "missing flake.lock alone is mechanically fixable — must be Low severity, got {:?}",
-            findings[0].severity
-        );
-        assert!(
-            findings[0].description.contains("nix flake update"),
-            "description must point at the fix command"
-        );
-    }
-
-    #[test]
-    fn flake_with_narhash_has_no_finding() {
-        let src = r#"{
-            inputs.nixpkgs = {
-                url = "github:NixOS/nixpkgs/nixos-unstable";
-                narHash = "sha256-...";
-            };
-            outputs = { self, nixpkgs }: { };
-        }"#;
-        let findings = flake_findings(src, "/nonexistent/dir/flake.nix");
-        assert_eq!(
-            findings.len(),
-            0,
-            "flake.nix with inline narHash must NOT produce a SupplyChain finding"
         );
     }
 
@@ -7880,6 +7834,10 @@ pub fn safe_get_x() -> Option<String> {
         assert!(
             count_julia_dce(src, "src/dangerous.jl") > 0,
             "non-extension Julia files must still flag eval()"
+        );
+    }
+
+    // ---------------------------------------------------------------
     // Vendored-snapshot directory skip
     // ---------------------------------------------------------------
 
@@ -7944,6 +7902,65 @@ pub fn safe_get_x() -> Option<String> {
                 .iter()
                 .any(|p| p.to_string_lossy().contains("rescript-ecosystem")),
             "rescript-ecosystem vendored snapshot must be skipped"
+        );
+    }
+
+    // ---------------------------------------------------------------
+    // flake.nix SupplyChain severity (downgrade to Low when fix is
+    // trivially mechanical — generate flake.lock). Restored 2026-05-27
+    // after the squash-merge of #77 (refile of #72) collided with #73
+    // and silently dropped the helper + first two tests.
+    // ---------------------------------------------------------------
+
+    fn flake_findings(content: &str, file_path: &str) -> Vec<WeakPoint> {
+        let analyzer = Analyzer::new(std::path::Path::new(".")).expect("analyzer construction");
+        let mut stats = ProgramStatistics::default();
+        let mut wp = Vec::new();
+        analyzer
+            .analyze_config(content, &mut stats, &mut wp, file_path)
+            .expect("analyze_config");
+        wp.into_iter()
+            .filter(|w| matches!(w.category, WeakPointCategory::SupplyChain))
+            .collect()
+    }
+
+    #[test]
+    fn flake_without_lock_is_low_severity() {
+        let src = r#"{
+            inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+            outputs = { self, nixpkgs }: { };
+        }"#;
+        let findings = flake_findings(src, "/nonexistent/dir/flake.nix");
+        assert_eq!(findings.len(), 1, "unpinned flake.nix must produce one finding");
+        assert!(
+            matches!(findings[0].severity, Severity::Low),
+            "missing flake.lock alone is mechanically fixable — must be Low severity, got {:?}",
+            findings[0].severity
+        );
+        assert!(
+            findings[0].description.contains("nix flake update"),
+            "description must point at the fix command"
+        );
+    }
+
+    #[test]
+    fn flake_with_narhash_has_no_finding() {
+        let src = r#"{
+            inputs.nixpkgs = {
+                url = "github:NixOS/nixpkgs/nixos-unstable";
+                narHash = "sha256-...";
+            };
+            outputs = { self, nixpkgs }: { };
+        }"#;
+        let findings = flake_findings(src, "/nonexistent/dir/flake.nix");
+        assert_eq!(
+            findings.len(),
+            0,
+            "flake.nix with inline narHash must NOT produce a SupplyChain finding"
+        );
+    }
+
+    #[test]
     fn flake_with_rev_pins_has_no_finding() {
         let src = r#"{
             inputs.nixpkgs = {