docs: add TEST-NEEDS.md and/or PROOF-NEEDS.md from audit

Documents testing and proof gaps identified during batch audit.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

PROOF-NEEDS.md

@@ -0,0 +1,25 @@
+# PROOF-NEEDS.md — polysafe-gitfixer
+
+## Current State
+
+- **src/abi/*.idr**: NO
+- **Dangerous patterns**: 0
+- **LOC**: ~1,400 (Rust + Elixir NIFs)
+- **ABI layer**: Missing
+
+## What Needs Proving
+
+| Component | What | Why |
+|-----------|------|-----|
+| Capability system | Capability grants are minimal and non-escalating | Over-privileged operations can damage repositories |
+| Git operations | Git modifications preserve repository integrity | Corrupting git repos is catastrophic |
+| File system operations | FS ops respect capability boundaries | Escaping sandbox damages the host system |
+| NIF safety | Elixir NIF bridge does not corrupt BEAM VM memory | NIF bugs crash the entire Erlang VM |
+
+## Recommended Prover
+
+**Idris2** — Create `src/abi/` with capability types (indexed by permission set). Git operation correctness proofs would ensure repo integrity is preserved.
+
+## Priority
+
+**MEDIUM** — Git repository fixer that modifies repos. The capability system is the most important proof target — it bounds what the tool can do. Small codebase makes full coverage achievable.

TEST-NEEDS.md

@@ -0,0 +1,56 @@
+# TEST-NEEDS.md — polysafe-gitfixer
+
+> Generated 2026-03-29 by punishing audit.
+
+## Current State
+
+| Category     | Count | Notes |
+|-------------|-------|-------|
+| Unit tests   | 0     | No inline tests, no test files |
+| Integration  | 0     | None |
+| E2E          | 0     | None |
+| Benchmarks   | 0     | None |
+
+**Source modules:** 6 Rust source files across 4 crates: capability (audit_log.rs, dir_capability.rs, lib.rs), fs_ops (lib.rs), git_ops (lib.rs), polysafe_nifs (lib.rs).
+
+## What's Missing
+
+### P2P (Property-Based) Tests
+- [ ] Dir capability: property tests for capability creation/verification invariants
+- [ ] Audit log: property tests for log entry integrity
+- [ ] fs_ops: property tests for filesystem operation safety (no escaping sandbox)
+- [ ] git_ops: property tests for git operation correctness
+
+### E2E Tests
+- [ ] Full fix cycle: detect issue -> create capability -> apply fix -> audit -> verify
+- [ ] Git operation: clone -> modify -> commit -> verify integrity
+- [ ] Capability lifecycle: create -> use -> revoke -> verify revoked
+
+### Aspect Tests
+- **Security:** A git fixing tool with capabilities and audit logging has ZERO security tests. Capability bypass, audit log tampering, path traversal in fs_ops, git injection — ALL untested
+- **Performance:** No benchmarks for fix throughput
+- **Concurrency:** No tests for concurrent fix operations, capability contention
+- **Error handling:** No tests for git operation failure, filesystem permission denied, corrupted audit log
+
+### Build & Execution
+- [ ] `cargo test` across all 4 crates
+
+### Benchmarks Needed
+- [ ] Git operation speed
+- [ ] Capability validation overhead
+- [ ] Audit logging throughput
+
+### Self-Tests
+- [ ] Fix its own repository as smoke test
+- [ ] Capability system self-test
+- [ ] Audit log integrity verification
+
+## Priority
+
+**CRITICAL.** 6 source files, ZERO tests of any kind. A capability-based security tool with an audit log that has never been tested. The capability and audit_log modules are security-critical and completely unverified. This is one of the worst test situations in the entire scan.
+
+## FAKE-FUZZ ALERT
+
+- `tests/fuzz/placeholder.txt` is a scorecard placeholder inherited from rsr-template-repo — it does NOT provide real fuzz testing
+- Replace with an actual fuzz harness (see rsr-template-repo/tests/fuzz/README.adoc) or remove the file
+- Priority: P2 — creates false impression of fuzz coverage