feat(storage): persist kanren CrossLangInteraction as hexads (issue #33 follow-up)#61
Merged
Merged
Conversation
3 tasks
🔍 Hypatia Security ScanFindings: 45 issues detected
View findings[
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Nickel file missing SPDX-License-Identifier header (1 occurrences, CWE-1104)",
"type": "ncl_missing_spdx",
"file": "/home/runner/work/panic-attack/panic-attack/reports/panic-attack-20260211180017.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (2 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/panic-attack/panic-attack/src/attestation/chain.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unwrap_or(0) with dangerous default (1 occurrences, CWE-754)",
"type": "unwrap_dangerous_default",
"file": "/home/runner/work/panic-attack/panic-attack/src/attestation/evidence.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "unwrap_or(0) with dangerous default (1 occurrences, CWE-754)",
"type": "unwrap_dangerous_default",
"file": "/home/runner/work/panic-attack/panic-attack/src/ambush/mod.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "unwrap_or(0) with dangerous default (3 occurrences, CWE-754)",
"type": "unwrap_dangerous_default",
"file": "/home/runner/work/panic-attack/panic-attack/src/kanren/strategy.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "unwrap_or(0) with dangerous default (3 occurrences, CWE-754)",
"type": "unwrap_dangerous_default",
"file": "/home/runner/work/panic-attack/panic-attack/src/axial/mod.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "expect() in hot path (4 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/panic-attack/panic-attack/src/assail/analyzer.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unwrap() without prior check -- DoS via panic (4 occurrences, CWE-754)",
"type": "unwrap_without_check",
"file": "/home/runner/work/panic-attack/panic-attack/benches/scan_bench.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "expect() in hot path (2 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/panic-attack/panic-attack/benches/scan_bench.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
… follow-up)
Adds a per-cross-language-interaction hexad facet so the `(crosslang :from :to)`
query evaluator can graduate from a same-repo co-occurrence proxy to true
FFI/cross-language reachability over persisted kanren-derived facts.
- `HexadSemantic.crosslang: Option<CrosslangSemantic>` (additive,
`skip_serializing_if`, opt-in via env var).
- `CrosslangSemantic { interaction_id, source_lang, target_lang, mechanism,
source_file, source_line, target_file, target_line, repo_name }`.
- `build_crosslang_hexads(report) -> Vec<PanicAttackHexad>` — drives the
kanren pipeline per repo (ingest → extract → load_rules → analyze →
query_interactions) and emits one hexad per `CrossLangInteraction`.
- New env var `PANIC_ATTACK_STORE_CROSSLANG_HEXADS` (separate from the
finding-hexad gate so callers can opt into one without the other);
default off, mirrors the `PANIC_ATTACK_STORE_FINDING_HEXADS` shape.
- Wired into `persist_assemblyline_report` — file-side only for now to
keep API surface stable; HTTP push deferred.
- `load_crosslang_hexads(base_dir)` helper (allow(dead_code) until the
paired query-evaluator PR is filed).
Tests (+4 in `storage::tests`, 252 lib tests pass): build-from-empty
returns empty Vec; build-from-real-UnsafeFFI-weak-point yields ≥1 hexad
with non-empty mechanism + repo-scoped interaction_id; write/read
roundtrip including missing-dir-returns-empty; env-var default-off
+ on-with-`1`.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
force-pushed
the
feat/crosslang-facts-persist
branch
from
96c76df to
3ccd9bf
Compare
hyperpolymath
added a commit
that referenced
this pull request
May 27, 2026
…follow-up) (#63) ## Summary - Switches `Query::Crosslang { from, to }` to a facts-backed evaluator when `<dir>/hexads/crosslang/` has persisted `CrosslangSemantic` hexads (PR #61): a `TO`-category finding matches iff there is a persisted `CrossLangInteraction` in the same repo whose source or target file equals the file of a `FROM`-category finding. - Falls back to the previous same-repo co-occurrence proxy when no crosslang hexads exist on disk. This preserves S3b semantics for users who have not enabled `PANIC_ATTACK_STORE_CROSSLANG_HEXADS=1` yet. - Drops the obsolete `#[allow(dead_code)]` on `storage::load_crosslang_hexads` and refreshes the `Query::Crosslang` docstring to describe both modes. ## Why The proxy admits in-repo category co-occurrences even when no FFI boundary actually connects the findings (e.g. an `UnsafeFFI`-bearing repo containing an unrelated `ProofDrift` in a non-FFI module). The facts-backed mode prunes that ghost-pair class. ## Test plan - [x] `cargo test --lib` — 255 tests pass, including 3 new `query::tests::run_crosslang_*` cases: facts-backed matches, fall-back to co-occurrence when no facts on disk, mixed setup where facts exist but no endpoint touches the FROM-file. - [x] `cargo clippy --all-targets -- -D warnings` clean. - [x] `cargo fmt --all` no diff. Stacks on top of PR #61 locally; filed against `main` per orphan-trap rule (`gh pr merge --auto` will queue it once PR #61 lands). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 74 issues detected
View findings[
{
"reason": "Issue in boj-build.yml",
"type": "unknown",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in cargo-audit.yml",
"type": "unknown",
"file": "cargo-audit.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "unknown",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "unknown",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "unknown",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in coverage.yml",
"type": "unknown",
"file": "coverage.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dependency-review.yml",
"type": "unknown",
"file": "dependency-review.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
HexadSemantic.crosslang: Option<CrosslangSemantic>facet and abuild_crosslang_hexads(...)helper that drives the kanrenCrossLangAnalyzerper repo (ingest → extract → load_rules → analyze →query_interactions) and emits one hexad per derived
CrossLangInteraction.PANIC_ATTACK_STORE_CROSSLANG_HEXADS(separate fromPANIC_ATTACK_STORE_FINDING_HEXADS) opts a run into emission;persist_assemblyline_reportwrites to<dir>/hexads/crosslang/file-side only.
load_crosslang_hexads(base_dir)so the paired query-evaluator PRcan match against persisted facts; falls back to empty
Vecwhen thedir is missing (the evaluator treats that as "use co-occurrence proxy").
Why
Tightens the
(crosslang :from :to)query from a same-repo co-occurrenceproxy to a true FFI/cross-language reachability check against
persisted kanren-derived facts. PR 1 of a 2-PR stack; PR 2 switches the
evaluator over while preserving fall-back semantics.
Test plan
cargo test --lib— 252 tests pass, including 4 newstorage::tests::*crosslang*cases (build-empty, build-from-FFI,write/read roundtrip + missing-dir, env-var default-off + opt-in).
cargo clippy --all-targets -- -D warningsclean.cargo fmt --allno diff.Stacks under: issue #33 S1/S2/S3 PRs (#55, #56, #57, #58). Filed against
mainper orphan-trap rule.Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com