Skip to content

feat(query): facts-backed (crosslang :from :to) evaluator (issue #33 follow-up)#63

Merged
hyperpolymath merged 1 commit into
mainfrom
feat/crosslang-query-facts-backed
May 27, 2026
Merged

feat(query): facts-backed (crosslang :from :to) evaluator (issue #33 follow-up)#63
hyperpolymath merged 1 commit into
mainfrom
feat/crosslang-query-facts-backed

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 26, 2026

Summary

  • Switches Query::Crosslang { from, to } to a facts-backed evaluator
    when <dir>/hexads/crosslang/ has persisted CrosslangSemantic
    hexads (PR feat(storage): persist kanren CrossLangInteraction as hexads (issue #33 follow-up) #61): a TO-category finding matches iff there is a
    persisted CrossLangInteraction in the same repo whose source or
    target file equals the file of a FROM-category finding.
  • Falls back to the previous same-repo co-occurrence proxy when no
    crosslang hexads exist on disk. This preserves S3b semantics for
    users who have not enabled PANIC_ATTACK_STORE_CROSSLANG_HEXADS=1
    yet.
  • Drops the obsolete #[allow(dead_code)] on
    storage::load_crosslang_hexads and refreshes the
    Query::Crosslang docstring to describe both modes.

Why

The proxy admits in-repo category co-occurrences even when no FFI
boundary actually connects the findings (e.g. an UnsafeFFI-bearing
repo containing an unrelated ProofDrift in a non-FFI module). The
facts-backed mode prunes that ghost-pair class.

Test plan

  • cargo test --lib — 255 tests pass, including 3 new
    query::tests::run_crosslang_* cases: facts-backed matches,
    fall-back to co-occurrence when no facts on disk, mixed setup
    where facts exist but no endpoint touches the FROM-file.
  • cargo clippy --all-targets -- -D warnings clean.
  • cargo fmt --all no diff.

Stacks on top of PR #61 locally; filed against main per orphan-trap
rule (gh pr merge --auto will queue it once PR #61 lands).

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

@hyperpolymath hyperpolymath enabled auto-merge (squash) May 26, 2026 12:49
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

🔍 Hypatia Security Scan

Findings: 45 issues detected

Severity Count
🔴 Critical 4
🟠 High 16
🟡 Medium 25

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Nickel file missing SPDX-License-Identifier header (1 occurrences, CWE-1104)",
    "type": "ncl_missing_spdx",
    "file": "/home/runner/work/panic-attack/panic-attack/reports/panic-attack-20260211180017.ncl",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "expect() in hot path (2 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/panic-attack/panic-attack/src/attestation/chain.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "unwrap_or(0) with dangerous default (1 occurrences, CWE-754)",
    "type": "unwrap_dangerous_default",
    "file": "/home/runner/work/panic-attack/panic-attack/src/attestation/evidence.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "unwrap_or(0) with dangerous default (1 occurrences, CWE-754)",
    "type": "unwrap_dangerous_default",
    "file": "/home/runner/work/panic-attack/panic-attack/src/ambush/mod.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "unwrap_or(0) with dangerous default (3 occurrences, CWE-754)",
    "type": "unwrap_dangerous_default",
    "file": "/home/runner/work/panic-attack/panic-attack/src/kanren/strategy.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "unwrap_or(0) with dangerous default (3 occurrences, CWE-754)",
    "type": "unwrap_dangerous_default",
    "file": "/home/runner/work/panic-attack/panic-attack/src/axial/mod.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "expect() in hot path (4 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/panic-attack/panic-attack/src/assail/analyzer.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (4 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/panic-attack/panic-attack/benches/scan_bench.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "expect() in hot path (2 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/panic-attack/panic-attack/benches/scan_bench.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath @claude
feat(query): facts-backed (crosslang :from :to) evaluator (issue #33
2f3a138 
…follow-up)

Tightens `(crosslang :from :to)` from a same-repo co-occurrence proxy to
true FFI/cross-language reachability against persisted kanren-derived
facts, while preserving the proxy as a fall-back for users who have not
opted into crosslang hexad persistence.

Mode selection happens once per query run in `load_context`:
- If `<dir>/hexads/crosslang/` has ≥ 1 hexad with `CrosslangSemantic`,
  the evaluator builds a per-repo `(source_file, target_file)` endpoint
  index and a per-repo, per-category file index. A `TO`-category
  finding matches iff there is an interaction in the same repo whose
  source or target file equals the file of a `FROM`-category finding —
  the "real" reachability check.
- Otherwise it falls through to the existing same-repo category
  co-occurrence proxy. This preserves S3b semantics for callers that
  haven't enabled `PANIC_ATTACK_STORE_CROSSLANG_HEXADS=1` yet.

The pruning matters because the proxy admits cross-finding co-occurrences
inside one repo even when no FFI boundary actually connects them; the
facts-backed mode rejects such ghost-pairs.

Tests (+3 in `query::tests`, 255 lib tests pass):
- `run_crosslang_facts_backed_matches`: plant a synthetic interaction
  with one endpoint at the UnsafeCode finding's file; CryptoMisuse
  finding in the same repo now matches via facts.
- `run_crosslang_falls_back_to_co_occurrence_when_no_facts`: no hexads
  on disk → legacy proxy path, same hit set as before.
- `run_crosslang_facts_backed_no_match_when_endpoint_misses`: hexads
  present but no interaction touches the FROM-finding's file → reject.
  This is the false-positive the proxy can't prune.

Also drops the obsolete `#[allow(dead_code)]` on
`storage::load_crosslang_hexads` (now actively used) and refreshes the
`Query::Crosslang` doc to describe both modes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@hyperpolymath hyperpolymath force-pushed the feat/crosslang-query-facts-backed branch from 75bca99 to 2f3a138 Compare May 27, 2026 13:30
@hyperpolymath hyperpolymath merged commit 7935204 into main May 27, 2026
15 of 26 checks passed
@hyperpolymath hyperpolymath deleted the feat/crosslang-query-facts-backed branch May 27, 2026 13:30
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 27, 2026

🔍 Hypatia Security Scan

Findings: 74 issues detected

Severity Count
🔴 Critical 7
🟠 High 16
🟡 Medium 51

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Issue in boj-build.yml",
    "type": "unknown",
    "file": "boj-build.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in cargo-audit.yml",
    "type": "unknown",
    "file": "cargo-audit.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in casket-pages.yml",
    "type": "unknown",
    "file": "casket-pages.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in casket-pages.yml",
    "type": "unknown",
    "file": "casket-pages.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "unknown",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in coverage.yml",
    "type": "unknown",
    "file": "coverage.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dependency-review.yml",
    "type": "unknown",
    "file": "dependency-review.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath