Skip to content

audit: classify 8 FFI/systems unsafe findings as legitimate (PA001/PA007) #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hyperpolymath merged 1 commit into from
May 26, 2026
+91 −0
Merged

audit: classify 8 FFI/systems unsafe findings as legitimate (PA001/PA007) #32

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions audits/assail-classifications.a2ml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
;; SPDX-License-Identifier: MPL-2.0
;; Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
;;
;; Assail Classifications — valence-shell
;; See panic-attack/.claude/CLAUDE.md § "User-Classification Registry".

(assail-classifications
(metadata
(version "1.0.0")
(project "valence-shell")
(last-updated "2026-05-26")
(entries 8)
(status "active"))

(classification
(file "impl/rust-cli/src/process_sub.rs")
(category "UnsafeCode")
(classification "legitimate-ffi")
(audit "audits/audit-ffi-2026-05-26.md")
(rationale "valence-shell is a Unix shell. impl/rust-cli is the Rust shell front-end calling libc::{chown,getpwnam,getgrnam,getpgrp,kill,pipe,WIFSTOPPED} + File::from_raw_fd — required POSIX job-control + permission syscalls. impl/zig is the Zig daemon-client FFI; ffi/rust contains the Rust FFI shim to the Lean-verified core via lean_wrapper.zig."))
(classification
(file "impl/rust-cli/src/external.rs")
(category "UnsafeCode")
(classification "legitimate-ffi")
(audit "audits/audit-ffi-2026-05-26.md")
(rationale "valence-shell is a Unix shell. impl/rust-cli is the Rust shell front-end calling libc::{chown,getpwnam,getgrnam,getpgrp,kill,pipe,WIFSTOPPED} + File::from_raw_fd — required POSIX job-control + permission syscalls. impl/zig is the Zig daemon-client FFI; ffi/rust contains the Rust FFI shim to the Lean-verified core via lean_wrapper.zig."))
(classification
(file "impl/rust-cli/src/commands.rs")
(category "UnsafeCode")
(classification "legitimate-ffi")
(audit "audits/audit-ffi-2026-05-26.md")
(rationale "valence-shell is a Unix shell. impl/rust-cli is the Rust shell front-end calling libc::{chown,getpwnam,getgrnam,getpgrp,kill,pipe,WIFSTOPPED} + File::from_raw_fd — required POSIX job-control + permission syscalls. impl/zig is the Zig daemon-client FFI; ffi/rust contains the Rust FFI shim to the Lean-verified core via lean_wrapper.zig."))
(classification
(file "impl/zig/src/daemon_client.zig")
(category "UnsafeCode")
(classification "legitimate-ffi")
(audit "audits/audit-ffi-2026-05-26.md")
(rationale "valence-shell is a Unix shell. impl/rust-cli is the Rust shell front-end calling libc::{chown,getpwnam,getgrnam,getpgrp,kill,pipe,WIFSTOPPED} + File::from_raw_fd — required POSIX job-control + permission syscalls. impl/zig is the Zig daemon-client FFI; ffi/rust contains the Rust FFI shim to the Lean-verified core via lean_wrapper.zig."))
(classification
(file "impl/zig/src/lib.zig")
(category "UnsafeCode")
(classification "legitimate-ffi")
(audit "audits/audit-ffi-2026-05-26.md")
(rationale "valence-shell is a Unix shell. impl/rust-cli is the Rust shell front-end calling libc::{chown,getpwnam,getgrnam,getpgrp,kill,pipe,WIFSTOPPED} + File::from_raw_fd — required POSIX job-control + permission syscalls. impl/zig is the Zig daemon-client FFI; ffi/rust contains the Rust FFI shim to the Lean-verified core via lean_wrapper.zig."))
(classification
(file "impl/zig/lean_wrapper.zig")
(category "UnsafeCode")
(classification "legitimate-ffi")
(audit "audits/audit-ffi-2026-05-26.md")
(rationale "valence-shell is a Unix shell. impl/rust-cli is the Rust shell front-end calling libc::{chown,getpwnam,getgrnam,getpgrp,kill,pipe,WIFSTOPPED} + File::from_raw_fd — required POSIX job-control + permission syscalls. impl/zig is the Zig daemon-client FFI; ffi/rust contains the Rust FFI shim to the Lean-verified core via lean_wrapper.zig."))
(classification
(file "ffi/rust/src/operations.rs")
(category "UnsafeCode")
(classification "legitimate-ffi")
(audit "audits/audit-ffi-2026-05-26.md")
(rationale "valence-shell is a Unix shell. impl/rust-cli is the Rust shell front-end calling libc::{chown,getpwnam,getgrnam,getpgrp,kill,pipe,WIFSTOPPED} + File::from_raw_fd — required POSIX job-control + permission syscalls. impl/zig is the Zig daemon-client FFI; ffi/rust contains the Rust FFI shim to the Lean-verified core via lean_wrapper.zig."))
(classification
(file "ffi/rust/src/audit.rs")
(category "UnsafeCode")
(classification "legitimate-ffi")
(audit "audits/audit-ffi-2026-05-26.md")
(rationale "valence-shell is a Unix shell. impl/rust-cli is the Rust shell front-end calling libc::{chown,getpwnam,getgrnam,getpgrp,kill,pipe,WIFSTOPPED} + File::from_raw_fd — required POSIX job-control + permission syscalls. impl/zig is the Zig daemon-client FFI; ffi/rust contains the Rust FFI shim to the Lean-verified core via lean_wrapper.zig."))
)
28 changes: 28 additions & 0 deletions audits/audit-ffi-2026-05-26.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
<!--
SPDX-License-Identifier: MPL-2.0
Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
-->

# Audit: FFI / systems `unsafe` blocks (valence-shell)

**Auditor**: Jonathan D.A. Jewell
**Date**: 2026-05-26
**Scope**: panic-attack assail Critical/High `UnsafeCode` (PA001) and `UnsafeFFI` (PA007) findings located under: `impl/rust-cli/src/, impl/zig/, ffi/rust/src/`.
**Cross-reference**: campaign tracker [hyperpolymath/panic-attack#32](https://github.com/hyperpolymath/panic-attack/issues/32).
**Registry**: `audits/assail-classifications.a2ml`.

## Rationale

valence-shell is a Unix shell. impl/rust-cli is the Rust shell front-end calling libc::{chown,getpwnam,getgrnam,getpgrp,kill,pipe,WIFSTOPPED} + File::from_raw_fd — required POSIX job-control + permission syscalls. impl/zig is the Zig daemon-client FFI; ffi/rust contains the Rust FFI shim to the Lean-verified core via lean_wrapper.zig.

The classification is scoped to the listed root(s). Any `unsafe` block outside those roots remains visible to assail.

## Anti-gameability

The registry is a separate file from any source under scan; adding a new `unsafe` block inside a classified root requires a companion classification edit and an update to this audit doc, both of which are visible in the diff.

## Verification

Locally on this branch: `panic-attack assail . --headless` reports the listed PA001/PA007 findings as `suppressed: true`. Any new `unsafe` outside the listed roots remains unsuppressed.

Refs hyperpolymath/panic-attack#32.
Loading