feat: multi-lockfile, OSV retry, language-lock, attest verify, Rule 14, groove versioning

Patch Bridge multi-lockfile (bridge/lockfile.rs, bridge/mod.rs):
  Add parsers for mix.lock (Hex/Elixir), package-lock.json (npm v1/v2/v3),
  and requirements.txt (PyPI exact pins only). discover_and_parse() tries all
  four lockfiles and merges results; triage() no longer bails on non-Rust repos.

OSV API resilience (bridge/intelligence.rs):
  osv_post_with_retry() wraps the ureq POST with 3 attempts and exponential
  backoff (1s, 2s, 4s). Connection errors and 5xx retry; 4xx return immediately.

Framework language-lock (assail/patterns.rs):
  Phoenix, OTP, and Ecto (Cowboy via OTP) patterns now guarded by is_beam check.
  Prevents BEAM-specific attack patterns firing on JS/Rust files in polyglot repos
  that share a top-level mix.exs.

Attestation verify subcommand (attestation/mod.rs, main.rs):
  panic-attack attest verify <file.attestation.json> recomputes the chain hash
  from intent/evidence/report hashes and checks it matches seal.chain_hash.
  Ed25519 signature verification available with --features signing.

Kanren Rule 14 — scanner source literal suppression (kanren/core.rs):
  suppress_scanner_source_literals: suppresses PanicPath on files tagged
  scanner_source (path contains patterns/analyzer/scanner/detector AND
  unwrap_calls/lines >= 0.10), preventing detector string literals from
  producing false PanicPath findings when scanning a code-analysis tool.

Groove capability versioning (groove.rs):
  Service manifest gains capability_version fields per capability and a
  batch_scan capability entry; applicability expanded to include "fleet".

Fix schema_version/safe_unwrap_calls in 9 test files (all 218 lib tests pass).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: hyperpolymath

src/a2ml/mod.rs

@@ -829,6 +829,7 @@ mod tests {
 
     fn sample_assail_report() -> AssailReport {
         AssailReport {
+            schema_version: "2.5".to_string(),
             program_path: PathBuf::from("src/main.rs"),
             language: Language::Rust,
             frameworks: vec![Framework::Unknown],
@@ -850,6 +851,7 @@ mod tests {
                 allocation_sites: 0,
                 io_operations: 0,
                 threading_constructs: 0,
+                safe_unwrap_calls: 0,
             },
             file_statistics: vec![FileStatistics {
                 file_path: "src/main.rs".to_string(),
@@ -861,6 +863,7 @@ mod tests {
                 io_operations: 0,
                 threading_constructs: 0,
                 ffi_safe_wrapper: false,
+                safe_unwrap_calls: 0,
             }],
             recommended_attacks: vec![AttackAxis::Concurrency],
             dependency_graph: DependencyGraph::default(),
@@ -898,6 +901,7 @@ mod tests {
 
     fn sample_ambush_report() -> AssaultReport {
         AssaultReport {
+            schema_version: "2.5".to_string(),
             assail_report: sample_assail_report(),
             attack_results: sample_attack_results(),
             total_crashes: 1,
@@ -994,6 +998,7 @@ mod tests {
 
     fn sample_adjudicate_report() -> adjudicate::AdjudicateReport {
         adjudicate::AdjudicateReport {
+            schema_version: "2.5".to_string(),
             created_at: chrono::Utc::now().to_rfc3339(),
             reports: vec![
                 PathBuf::from("reports/a.json"),

src/assail/analyzer.rs

@@ -6107,6 +6107,7 @@ pub fn call(compiled: &CompiledFunction, args: &[i64]) -> Option<i64> {
             allocation_sites: 0,
             io_operations: 0,
             threading_constructs: 0,
+            safe_unwrap_calls: 0,
         };
         let mut weak_points = Vec::new();
         analyzer
@@ -6161,6 +6162,7 @@ fn pun_u64_to_two_u32s(x: u64) -> (u32, u32) {
             allocation_sites: 0,
             io_operations: 0,
             threading_constructs: 0,
+            safe_unwrap_calls: 0,
         };
         let mut weak_points = Vec::new();
         analyzer
@@ -6212,6 +6214,7 @@ fn pun_in_jit_file(x: u64) -> [u8; 8] {
             allocation_sites: 0,
             io_operations: 0,
             threading_constructs: 0,
+            safe_unwrap_calls: 0,
         };
         let mut weak_points = Vec::new();
         analyzer
@@ -6260,6 +6263,7 @@ fn inspect_token(token: &str) -> TokenData<Claims> {
             allocation_sites: 0,
             io_operations: 0,
             threading_constructs: 0,
+            safe_unwrap_calls: 0,
         };
         let mut weak_points = Vec::new();
         analyzer

src/assail/mod.rs

@@ -572,6 +572,7 @@ mod classifications_tests {
         );
 
         let mut report = AssailReport {
+            schema_version: "2.5".to_string(),
             program_path: tmp.path().to_path_buf(),
             language: Language::Rust,
             frameworks: vec![],
@@ -605,6 +606,7 @@ mod classifications_tests {
                 allocation_sites: 0,
                 io_operations: 0,
                 threading_constructs: 0,
+                safe_unwrap_calls: 0,
             },
             file_statistics: vec![],
             recommended_attacks: vec![],

src/assail/patterns.rs

@@ -43,14 +43,21 @@ impl PatternDetector {
             _ => {}
         }
 
-        // Framework-specific patterns
+        // Framework-specific patterns, with language-lock guards.
+        // Phoenix / OTP / Ecto are BEAM-ecosystem frameworks — they must not
+        // fire on non-BEAM languages even if the framework was detected from
+        // a top-level mix.exs that sits alongside a polyglot source tree.
+        let is_beam = matches!(
+            language,
+            Language::Elixir | Language::Erlang | Language::Gleam
+        );
         for framework in frameworks {
             match framework {
                 Framework::WebServer => patterns.extend(Self::webserver_patterns()),
                 Framework::Database => patterns.extend(Self::database_patterns()),
                 Framework::Concurrent => patterns.extend(Self::concurrency_patterns()),
-                Framework::Phoenix => patterns.extend(Self::phoenix_patterns()),
-                Framework::OTP => patterns.extend(Self::otp_patterns()),
+                Framework::Phoenix if is_beam => patterns.extend(Self::phoenix_patterns()),
+                Framework::OTP if is_beam => patterns.extend(Self::otp_patterns()),
                 _ => {}
             }
         }

src/attestation/mod.rs

@@ -37,3 +37,145 @@ pub use evidence::{EvidenceAccumulator, ExecutionEvidence};
 pub use intent::ExecutionIntent;
 #[allow(unused_imports)]
 pub use seal::ReportSeal;
+
+// ============================================================================
+// Verification
+// ============================================================================
+
+/// Outcome of an attestation verification run.
+#[derive(Debug)]
+pub enum VerifyResult {
+    /// All chain invariants pass; signature verified if present.
+    Ok {
+        issuer: String,
+        issued_at: String,
+        chain_hash: String,
+        signature_verified: bool,
+    },
+    /// One or more chain invariants failed.
+    Failed(Vec<String>),
+}
+
+/// Verify an attestation sidecar file.
+///
+/// Reads the JSON file at `path`, recomputes the chain hash from the stored
+/// intent/evidence/report hashes, and checks that it matches `seal.chain_hash`.
+/// If `seal.signature` and `seal.public_key` are present, also verifies the
+/// Ed25519 signature over the chain hash.
+///
+/// Returns `VerifyResult::Ok` when all checks pass, `VerifyResult::Failed`
+/// with a list of failure reasons otherwise.
+pub fn verify_attestation_file(path: &std::path::Path) -> anyhow::Result<VerifyResult> {
+    use sha2::{Digest, Sha256};
+
+    let content = std::fs::read_to_string(path)
+        .map_err(|e| anyhow::anyhow!("reading {}: {}", path.display(), e))?;
+
+    let envelope: A2mlEnvelope = serde_json::from_str(&content)
+        .map_err(|e| anyhow::anyhow!("parsing attestation envelope: {}", e))?;
+
+    let chain = &envelope.attestation;
+    let seal = &chain.seal;
+    let mut failures = Vec::new();
+
+    // Recompute chain_hash = SHA-256(intent_hash || evidence_hash || report_hash)
+    let mut hasher = Sha256::new();
+    hasher.update(seal.intent_hash.as_bytes());
+    hasher.update(seal.evidence_hash.as_bytes());
+    hasher.update(seal.report_hash.as_bytes());
+    let computed_chain_hash = hex::encode(hasher.finalize());
+
+    if computed_chain_hash != seal.chain_hash {
+        failures.push(format!(
+            "chain_hash mismatch: stored={} computed={}",
+            seal.chain_hash, computed_chain_hash
+        ));
+    }
+
+    // decision_hash in the envelope must match seal.report_hash
+    if envelope.decision_hash != seal.report_hash {
+        failures.push(format!(
+            "decision_hash mismatch: envelope={} seal={}",
+            envelope.decision_hash, seal.report_hash
+        ));
+    }
+
+    // Ed25519 signature verification (requires `signing` feature)
+    let signature_verified = verify_signature(seal, &mut failures);
+
+    if !failures.is_empty() {
+        return Ok(VerifyResult::Failed(failures));
+    }
+
+    Ok(VerifyResult::Ok {
+        issuer: envelope.issuer.clone(),
+        issued_at: envelope.issued_at.clone(),
+        chain_hash: seal.chain_hash.clone(),
+        signature_verified,
+    })
+}
+
+#[cfg(feature = "signing")]
+fn verify_signature(seal: &ReportSeal, failures: &mut Vec<String>) -> bool {
+    use ed25519_dalek::{Signature, VerifyingKey};
+
+    let (sig_hex, pk_hex) = match (&seal.signature, &seal.public_key) {
+        (Some(s), Some(k)) => (s, k),
+        _ => return false, // no signature present — skip
+    };
+
+    let sig_bytes = match hex::decode(sig_hex) {
+        Ok(b) => b,
+        Err(_) => {
+            failures.push("signature field is not valid hex".to_string());
+            return false;
+        }
+    };
+
+    let pk_bytes = match hex::decode(pk_hex) {
+        Ok(b) => b,
+        Err(_) => {
+            failures.push("public_key field is not valid hex".to_string());
+            return false;
+        }
+    };
+
+    let sig_array: [u8; 64] = match sig_bytes.try_into() {
+        Ok(a) => a,
+        Err(_) => {
+            failures.push("signature must be 64 bytes".to_string());
+            return false;
+        }
+    };
+
+    let pk_array: [u8; 32] = match pk_bytes.try_into() {
+        Ok(a) => a,
+        Err(_) => {
+            failures.push("public_key must be 32 bytes".to_string());
+            return false;
+        }
+    };
+
+    let verifying_key = match VerifyingKey::from_bytes(&pk_array) {
+        Ok(k) => k,
+        Err(e) => {
+            failures.push(format!("invalid Ed25519 public key: {}", e));
+            return false;
+        }
+    };
+
+    let signature = Signature::from_bytes(&sig_array);
+    use ed25519_dalek::Verifier;
+    match verifying_key.verify(seal.chain_hash.as_bytes(), &signature) {
+        Ok(()) => true,
+        Err(e) => {
+            failures.push(format!("Ed25519 signature verification failed: {}", e));
+            false
+        }
+    }
+}
+
+#[cfg(not(feature = "signing"))]
+fn verify_signature(_seal: &ReportSeal, _failures: &mut Vec<String>) -> bool {
+    false
+}

src/bridge/intelligence.rs

@@ -136,33 +136,7 @@ pub fn query_osv_batch(deps: &[LockedDependency]) -> Result<Vec<Vulnerability>>
 
         let body_bytes = serde_json::to_vec(&request)?;
 
-        let mut resp = ureq::post("https://api.osv.dev/v1/querybatch")
-            .header("Content-Type", "application/json")
-            .send(&body_bytes[..])
-            .map_err(|e| anyhow::anyhow!("OSV API request failed: {}", e))?;
-
-        let status = resp.status().as_u16();
-        if !(200..300).contains(&status) {
-            // Cap error-body reads at 64 KiB — for error paths we only
-            // need enough context to report, not the full OSV error blob.
-            let buf = resp
-                .body_mut()
-                .with_config()
-                .limit(64 * 1024)
-                .read_to_string()
-                .unwrap_or_default();
-            anyhow::bail!("OSV API returned HTTP {}: {}", status, buf);
-        }
-
-        // Cap success-body reads at 256 MiB. OSV batch responses for
-        // ~1000-dep projects run a few MiB at most; 256 MiB is an order
-        // of magnitude beyond any realistic response and prevents a
-        // misbehaving or hostile OSV endpoint from exhausting memory.
-        let response_text = resp
-            .body_mut()
-            .with_config()
-            .limit(256 * 1024 * 1024)
-            .read_to_string()?;
+        let response_text = osv_post_with_retry(&body_bytes)?;
         let response: OsvBatchResponse = serde_json::from_str(&response_text)?;
 
         // Map OSV results back to dependencies
@@ -177,6 +151,80 @@ pub fn query_osv_batch(deps: &[LockedDependency]) -> Result<Vec<Vulnerability>>
     Ok(all_vulns)
 }
 
+// ============================================================================
+// Networking helpers
+// ============================================================================
+
+const OSV_ENDPOINT: &str = "https://api.osv.dev/v1/querybatch";
+/// Maximum number of retry attempts for transient OSV API failures.
+const OSV_MAX_RETRIES: u32 = 3;
+
+/// POST body bytes to the OSV batch endpoint with exponential-backoff retry.
+///
+/// Retries on connection errors and 5xx responses. 4xx errors are permanent
+/// failures (bad request / auth) and are returned immediately without retry.
+/// Delays: 1 s, 2 s, 4 s (capped at 3 attempts total).
+fn osv_post_with_retry(body_bytes: &[u8]) -> Result<String> {
+    let mut last_err = anyhow::anyhow!("no attempts made");
+
+    for attempt in 0..OSV_MAX_RETRIES {
+        if attempt > 0 {
+            let delay = std::time::Duration::from_secs(1u64 << (attempt - 1));
+            std::thread::sleep(delay);
+        }
+
+        let send_result = ureq::post(OSV_ENDPOINT)
+            .header("Content-Type", "application/json")
+            .send(body_bytes);
+
+        match send_result {
+            Err(e) => {
+                // Connection-level error — always retry
+                last_err = anyhow::anyhow!("OSV API request failed (attempt {}): {}", attempt + 1, e);
+                log::warn!("[bridge] OSV attempt {}/{}: {}", attempt + 1, OSV_MAX_RETRIES, last_err);
+                continue;
+            }
+            Ok(mut resp) => {
+                let status = resp.status().as_u16();
+
+                if status >= 500 {
+                    // Server error — retry
+                    let buf = resp
+                        .body_mut()
+                        .with_config()
+                        .limit(64 * 1024)
+                        .read_to_string()
+                        .unwrap_or_default();
+                    last_err = anyhow::anyhow!("OSV API returned HTTP {} (attempt {}): {}", status, attempt + 1, buf);
+                    log::warn!("[bridge] OSV attempt {}/{}: HTTP {}", attempt + 1, OSV_MAX_RETRIES, status);
+                    continue;
+                }
+
+                if !(200..300).contains(&status) {
+                    // 4xx — permanent failure, do not retry
+                    let buf = resp
+                        .body_mut()
+                        .with_config()
+                        .limit(64 * 1024)
+                        .read_to_string()
+                        .unwrap_or_default();
+                    anyhow::bail!("OSV API returned HTTP {}: {}", status, buf);
+                }
+
+                // 2xx — success. Cap body at 256 MiB.
+                let text = resp
+                    .body_mut()
+                    .with_config()
+                    .limit(256 * 1024 * 1024)
+                    .read_to_string()?;
+                return Ok(text);
+            }
+        }
+    }
+
+    Err(last_err)
+}
+
 // ============================================================================
 // Mapping helpers
 // ============================================================================