feat(query): (crosslang ...) + (since ...) forms (issue #33 S3b+c)#58
Merged
Conversation
3 tasks
Adds two query forms to the panic-attack query subcommand:
1. (since 2026-04-12) — match findings whose first_seen_run (when ISO-
formatted) or hexad created_at is >= the cutoff. RFC-3339 strings
sort lexicographically, so a string >= compare is exact for any
well-formed timestamp. Combined with `and`, expresses the
"(diff :since DATE :category CAT)" use case the issue calls out:
(and (since 2026-04-12) (category CryptoMisuse))
2. (crosslang :from FROM_CAT :to TO_CAT) — co-occurrence proxy for
FFI/cross-language reachability. Matches a TO-category finding in a
repo that also has at least one FROM-category finding. Most
FFI-driven proof drift surfaces in the same repo, so this is the
operationally useful approximation until kanren-crosslang facts are
persisted as hexads (a later slice). Both keyword and positional
shapes accepted:
(crosslang :from UnsafeFFI :to ProofDrift)
(crosslang UnsafeFFI ProofDrift)
Implementation:
- New Query variants Since(String) and Crosslang { from, to }.
- Parser extended with `since` and `crosslang` heads; crosslang
accepts both positional and `:from`/`:to` keyword forms.
- Evaluator's load_context now also builds a repo→categories index so
(crosslang ...) is O(1) per row.
Tests: 9 new (5 parser positive + 2 rejection cases, 2 crosslang
evaluator, 1 since evaluator). Lib total: 248 green. Clippy clean
with -D warnings.
Refs #33. Stacked on #57 (S3) — diff against main includes the
S1+S2+S3 changes until they land.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
force-pushed
the
feat/issue-33-s3b-crosslang-query
branch
from
17bd2a0 to
0821b94
Compare
hyperpolymath
added a commit
that referenced
this pull request
May 27, 2026
… follow-up) (#61) ## Summary - Adds a `HexadSemantic.crosslang: Option<CrosslangSemantic>` facet and a `build_crosslang_hexads(...)` helper that drives the kanren `CrossLangAnalyzer` per repo (ingest → extract → load_rules → analyze → query_interactions) and emits one hexad per derived `CrossLangInteraction`. - New env var `PANIC_ATTACK_STORE_CROSSLANG_HEXADS` (separate from `PANIC_ATTACK_STORE_FINDING_HEXADS`) opts a run into emission; `persist_assemblyline_report` writes to `<dir>/hexads/crosslang/` file-side only. - Adds `load_crosslang_hexads(base_dir)` so the paired query-evaluator PR can match against persisted facts; falls back to empty `Vec` when the dir is missing (the evaluator treats that as "use co-occurrence proxy"). ## Why Tightens the `(crosslang :from :to)` query from a same-repo co-occurrence proxy to a true FFI/cross-language reachability check against persisted kanren-derived facts. PR 1 of a 2-PR stack; PR 2 switches the evaluator over while preserving fall-back semantics. ## Test plan - [x] `cargo test --lib` — 252 tests pass, including 4 new `storage::tests::*crosslang*` cases (build-empty, build-from-FFI, write/read roundtrip + missing-dir, env-var default-off + opt-in). - [x] `cargo clippy --all-targets -- -D warnings` clean. - [x] `cargo fmt --all` no diff. Stacks under: issue #33 S1/S2/S3 PRs (#55, #56, #57, #58). Filed against `main` per orphan-trap rule. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 74 issues detected
View findings[
{
"reason": "Issue in boj-build.yml",
"type": "unknown",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in cargo-audit.yml",
"type": "unknown",
"file": "cargo-audit.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "unknown",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "unknown",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "unknown",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in coverage.yml",
"type": "unknown",
"file": "coverage.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dependency-review.yml",
"type": "unknown",
"file": "dependency-review.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds two query forms to `panic-attack query`, closing the S3 follow-ups called out in #57:
`(since 2026-04-12)` — matches findings whose `first_seen_run` (when ISO-formatted) or hexad `created_at` is ≥ the cutoff. RFC-3339 strings sort lexicographically, so the string `>=` compare is exact for any well-formed timestamp. Combined with `and`, this expresses the `(diff :since DATE :category CAT)` use case the issue calls out:
```scheme
(and (since 2026-04-12) (category CryptoMisuse))
```
`(crosslang :from FROM_CAT :to TO_CAT)` — co-occurrence proxy for FFI/cross-language reachability. Matches a `TO`-category finding in a repo that also has at least one `FROM`-category finding. Most FFI-driven proof drift surfaces in the same repo, so this is the operationally useful approximation until `kanren::crosslang` facts are persisted as hexads.
Both shapes parse:
```scheme
(crosslang :from UnsafeFFI :to ProofDrift)
(crosslang UnsafeFFI ProofDrift)
```
Test plan
Refs #33. Stacked on #57.
🤖 Generated with Claude Code