diff --git a/audits/assail-classifications.a2ml b/audits/assail-classifications.a2ml new file mode 100644 index 0000000..e34b8f4 --- /dev/null +++ b/audits/assail-classifications.a2ml @@ -0,0 +1,63 @@ +;; SPDX-License-Identifier: MPL-2.0 +;; Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) +;; +;; Assail Classifications — valence-shell +;; See panic-attack/.claude/CLAUDE.md § "User-Classification Registry". + +(assail-classifications + (metadata + (version "1.0.0") + (project "valence-shell") + (last-updated "2026-05-26") + (entries 8) + (status "active")) + + (classification + (file "impl/rust-cli/src/process_sub.rs") + (category "UnsafeCode") + (classification "legitimate-ffi") + (audit "audits/audit-ffi-2026-05-26.md") + (rationale "valence-shell is a Unix shell. impl/rust-cli is the Rust shell front-end calling libc::{chown,getpwnam,getgrnam,getpgrp,kill,pipe,WIFSTOPPED} + File::from_raw_fd — required POSIX job-control + permission syscalls. impl/zig is the Zig daemon-client FFI; ffi/rust contains the Rust FFI shim to the Lean-verified core via lean_wrapper.zig.")) + (classification + (file "impl/rust-cli/src/external.rs") + (category "UnsafeCode") + (classification "legitimate-ffi") + (audit "audits/audit-ffi-2026-05-26.md") + (rationale "valence-shell is a Unix shell. impl/rust-cli is the Rust shell front-end calling libc::{chown,getpwnam,getgrnam,getpgrp,kill,pipe,WIFSTOPPED} + File::from_raw_fd — required POSIX job-control + permission syscalls. impl/zig is the Zig daemon-client FFI; ffi/rust contains the Rust FFI shim to the Lean-verified core via lean_wrapper.zig.")) + (classification + (file "impl/rust-cli/src/commands.rs") + (category "UnsafeCode") + (classification "legitimate-ffi") + (audit "audits/audit-ffi-2026-05-26.md") + (rationale "valence-shell is a Unix shell. impl/rust-cli is the Rust shell front-end calling libc::{chown,getpwnam,getgrnam,getpgrp,kill,pipe,WIFSTOPPED} + File::from_raw_fd — required POSIX job-control + permission syscalls. impl/zig is the Zig daemon-client FFI; ffi/rust contains the Rust FFI shim to the Lean-verified core via lean_wrapper.zig.")) + (classification + (file "impl/zig/src/daemon_client.zig") + (category "UnsafeCode") + (classification "legitimate-ffi") + (audit "audits/audit-ffi-2026-05-26.md") + (rationale "valence-shell is a Unix shell. impl/rust-cli is the Rust shell front-end calling libc::{chown,getpwnam,getgrnam,getpgrp,kill,pipe,WIFSTOPPED} + File::from_raw_fd — required POSIX job-control + permission syscalls. impl/zig is the Zig daemon-client FFI; ffi/rust contains the Rust FFI shim to the Lean-verified core via lean_wrapper.zig.")) + (classification + (file "impl/zig/src/lib.zig") + (category "UnsafeCode") + (classification "legitimate-ffi") + (audit "audits/audit-ffi-2026-05-26.md") + (rationale "valence-shell is a Unix shell. impl/rust-cli is the Rust shell front-end calling libc::{chown,getpwnam,getgrnam,getpgrp,kill,pipe,WIFSTOPPED} + File::from_raw_fd — required POSIX job-control + permission syscalls. impl/zig is the Zig daemon-client FFI; ffi/rust contains the Rust FFI shim to the Lean-verified core via lean_wrapper.zig.")) + (classification + (file "impl/zig/lean_wrapper.zig") + (category "UnsafeCode") + (classification "legitimate-ffi") + (audit "audits/audit-ffi-2026-05-26.md") + (rationale "valence-shell is a Unix shell. impl/rust-cli is the Rust shell front-end calling libc::{chown,getpwnam,getgrnam,getpgrp,kill,pipe,WIFSTOPPED} + File::from_raw_fd — required POSIX job-control + permission syscalls. impl/zig is the Zig daemon-client FFI; ffi/rust contains the Rust FFI shim to the Lean-verified core via lean_wrapper.zig.")) + (classification + (file "ffi/rust/src/operations.rs") + (category "UnsafeCode") + (classification "legitimate-ffi") + (audit "audits/audit-ffi-2026-05-26.md") + (rationale "valence-shell is a Unix shell. impl/rust-cli is the Rust shell front-end calling libc::{chown,getpwnam,getgrnam,getpgrp,kill,pipe,WIFSTOPPED} + File::from_raw_fd — required POSIX job-control + permission syscalls. impl/zig is the Zig daemon-client FFI; ffi/rust contains the Rust FFI shim to the Lean-verified core via lean_wrapper.zig.")) + (classification + (file "ffi/rust/src/audit.rs") + (category "UnsafeCode") + (classification "legitimate-ffi") + (audit "audits/audit-ffi-2026-05-26.md") + (rationale "valence-shell is a Unix shell. impl/rust-cli is the Rust shell front-end calling libc::{chown,getpwnam,getgrnam,getpgrp,kill,pipe,WIFSTOPPED} + File::from_raw_fd — required POSIX job-control + permission syscalls. impl/zig is the Zig daemon-client FFI; ffi/rust contains the Rust FFI shim to the Lean-verified core via lean_wrapper.zig.")) +) diff --git a/audits/audit-ffi-2026-05-26.md b/audits/audit-ffi-2026-05-26.md new file mode 100644 index 0000000..4ef52d0 --- /dev/null +++ b/audits/audit-ffi-2026-05-26.md @@ -0,0 +1,28 @@ + + +# Audit: FFI / systems `unsafe` blocks (valence-shell) + +**Auditor**: Jonathan D.A. Jewell +**Date**: 2026-05-26 +**Scope**: panic-attack assail Critical/High `UnsafeCode` (PA001) and `UnsafeFFI` (PA007) findings located under: `impl/rust-cli/src/, impl/zig/, ffi/rust/src/`. +**Cross-reference**: campaign tracker [hyperpolymath/panic-attack#32](https://github.com/hyperpolymath/panic-attack/issues/32). +**Registry**: `audits/assail-classifications.a2ml`. + +## Rationale + +valence-shell is a Unix shell. impl/rust-cli is the Rust shell front-end calling libc::{chown,getpwnam,getgrnam,getpgrp,kill,pipe,WIFSTOPPED} + File::from_raw_fd — required POSIX job-control + permission syscalls. impl/zig is the Zig daemon-client FFI; ffi/rust contains the Rust FFI shim to the Lean-verified core via lean_wrapper.zig. + +The classification is scoped to the listed root(s). Any `unsafe` block outside those roots remains visible to assail. + +## Anti-gameability + +The registry is a separate file from any source under scan; adding a new `unsafe` block inside a classified root requires a companion classification edit and an update to this audit doc, both of which are visible in the diff. + +## Verification + +Locally on this branch: `panic-attack assail . --headless` reports the listed PA001/PA007 findings as `suppressed: true`. Any new `unsafe` outside the listed roots remains unsuppressed. + +Refs hyperpolymath/panic-attack#32.