-
Notifications
You must be signed in to change notification settings - Fork 0
Home
hyperpolymath edited this page Jun 2, 2026
·
7 revisions
panic-attack is a Rust CLI providing static analysis, taint tracking, cross-language vulnerability detection, and CVE triage across 49 languages, single-locale validated against the 303-repo hyperpolymath estate (2026-04-12). It operates in three deployment modes (standalone binary, panicbot CI integration, mass-panic batch scanning) and exposes 25 canonical weak-point categories (PA001–PA025) with a miniKanren-based logic engine.
The Wiki is the orientation surface; canonical docs live in the repository. Use the sections below to jump to what you need.
| If you want to… | Start here |
|---|---|
| Install + first scan | Installation · Quickstart (user) |
| Understand what it detects | Detection Categories · Languages |
| Integrate with CI | panicbot setup · pre-commit hook |
| Plug new findings into VeriSimDB | VeriSimDB Persistence |
| Triage CVE phantoms | Patch Bridge |
| Run estate-scale analysis | mass-panic · Chapel Metalayer |
| Develop / contribute | Quickstart (dev) · Architecture · CONTRIBUTING.md |
- README.adoc — top-level overview
- ROADMAP.adoc — current + planned milestones
- CHANGELOG.md — release history
- DESIGN.md — architecture rationale
- VISION.md — long-horizon direction
- EXPLAINME.adoc — verbose explanation surface
- SECURITY.md — vulnerability reporting
- PROOF-NEEDS.md · TEST-NEEDS.md — verification debt
-
0-AI-MANIFEST.a2ml— top-level AI/agent manifest (canonical-locations, invariants, capability tags) -
.machine_readable/6a2/{STATE,META,ECOSYSTEM}.a2ml— RSR-canonical clade docs -
.machine_readable/CLADE.a2ml·.machine_readable/anchors/ANCHOR.a2ml— gv-clade-index identity -
.machine_readable/agent_instructions/{coverage,debt,methodology}.a2ml— per-aspect agent guidance -
.machine_readable/integrations/{verisimdb,proven,vexometer,feedback-o-tron}.a2ml— partner contracts
- Version: 2.5.0 (CRG C / Beta) — v2.5.5 cohort feature-complete (foundation + analyzer wire-up); release ramp pending
-
Tests: 897 passing (per
cargo test --release; 4 ignored; 901 runnable per--list) across unit / property / e2e / aspect / integration tiers -
Languages: 49 (
.thyIsabelle +.vCoq added in v2.1.0) -
Categories: 25 canonical PA codes PA001–PA025 spanning resource exhaustion, crypto misuse, proof drift, supply-chain, input-boundary, mutation-gap. Underlying enum has 26 variants —
PA001⇒UncheckedAllocationandPA001b⇒UnboundedAllocationshare the same canonical SARIF rule for taxonomy purposes - v2.5.5 context-awareness cohort landed 2026-06-02 PM: 4 foundation modules + analyzer wire-up + PROOF-PROGRAMME row 1 partial — see Context-Awareness for the operator-facing summary and Proof-Programme for the formal-soundness landscape.
-
v3.0.0 Chapel→VeriSimDB HTTP push landed via #108: new
panic-attack verisim-pushsubcommand underhttpfeature + ChapeltakeSnapshotoverload. -
Chapel Wave 2:
chapel-multilocale(7th strict gate) MERGED 2026-06-02 04:27Z via #99 —mass-panic --numLocales=2overgasnet+smpsingle-host oversubscribed, source-built + cached. Took 6 cold-cache CI iterations to debug 4 Chapel-2.8.0 sharp edges; all four recorded at Chapel-Metalayer.
Operator-authored inline suppression + automatic context-aware FP suppression. Foundation modules:
| Module | What |
|---|---|
src/test_context.rs |
Cross-language test-path classification: Rust / Python / Go / JS / TS / Julia / Zig / Elixir / docs-examples. Content promotion via use ExUnit.Case / unittest.TestCase / @pytest.fixture / @testset. |
src/comment_marker.rs |
// panic-attack: accepted [- reason] inline marker. Mid-line // for C-family; start-of-line # / -- / ; / % for Python / Haskell / Lisp / Erlang. String-literal aware. |
src/ffi_kind.rs |
UnsafeFFI (PA013) subtyped into BuildSystem (build.zig / build.rs) / RuntimeAbi (bindings/ / ffi/ / sys/) / TestMock (tests/mocks/) / Unknown. is_audited_boundary() parses audits/audit-ffi-unsafe.md. |
src/jit_context.rs |
JIT-framework classifier: Cranelift / Llvm / Wasm / Javascript / None. transmute_targets_fn_ptr recogniser. |
assail::apply_v255_context_suppression |
Runs after kanren rules. Auto-suppresses PanicPath in TestOnly/Doc, UnsafeFFI in BuildSystem/TestMock, anything with a panic-attack: accepted marker. |
Operator usage:
// panic-attack: accepted - reviewed manually 2026-06-02
let parsed = config.parse().unwrap();See Context-Awareness for the full integration story.
- v2.2.0 — VeriSimDB Integration: hexad persistence for Patch Bridge mitigation registry, historical trend queries via VCL
- v2.4.0 — Patch Bridge Phase 2: hexad lifecycle persistence, auto-retire, upstream health monitoring, multi-lockfile support (beyond Cargo.lock)
- v2.5.x — Detection coverage: v2.5.5 cohort feature-complete; tail items (test-data fixture lexer, JIT WeakPointCategory) deferred per the analysis in Context-Awareness
See ROADMAP.adoc for the full list.
panic-attack is part of the hyperpolymath ecosystem:
-
gitbot-fleet consumes findings via
panicbottranslator (PA021/PA022/PA023/PA024/PA025 wired) -
hypatia consumes JSON
AssailReportvia Elixir rules (Logtalk export removed 2026-04-12) -
VeriSimDB persists scan octads + hexads via REST (ureq v3 /
verisim-panic-apion Fly.io) - echo-types / kategoria / typed-wasm — adjacent verification stack
-
standards — reusable CI workflows (
rust-ci-reusable.yml+ governance)
- Bugs: GitHub issues
-
Security: see SECURITY.md —
j.d.a.jewell@open.ac.uk - Discussions: GitHub discussions
panic-attack
Detection
- Categories
- Languages
- Context-Awareness ← v2.5.5
Integration
Scale
Verification
- Proof Programme ← formal soundness
Development