Home

panic-attack Wiki

panic-attack is a Rust CLI providing static analysis, taint tracking, cross-language vulnerability detection, and CVE triage across 49 languages in 500+ repositories. It operates in three deployment modes (standalone binary, panicbot CI integration, mass-panic batch scanning) and exposes 25 weak-point categories with a miniKanren-based logic engine.

The Wiki is the orientation surface; canonical docs live in the repository. Use the sections below to jump to what you need.

Orientation

If you want to…	Start here
Install + first scan	Installation · Quickstart (user)
Understand what it detects	Detection Categories · Languages
Integrate with CI	panicbot setup · pre-commit hook
Plug new findings into VeriSimDB	VeriSimDB Persistence
Triage CVE phantoms	Patch Bridge
Run estate-scale analysis	mass-panic · Chapel Metalayer
Develop / contribute	Quickstart (dev) · Architecture · CONTRIBUTING.md

Canonical docs in-repo

• README.adoc — top-level overview
• ROADMAP.adoc — current + planned milestones
• CHANGELOG.md — release history
• DESIGN.md — architecture rationale
• VISION.md — long-horizon direction
• EXPLAINME.adoc — verbose explanation surface
• SECURITY.md — vulnerability reporting
• PROOF-NEEDS.md · TEST-NEEDS.md — verification debt

Machine-readable surfaces

• 0-AI-MANIFEST.a2ml — top-level AI/agent manifest (canonical-locations, invariants, capability tags)
• .machine_readable/6a2/{STATE,META,ECOSYSTEM}.a2ml — RSR-canonical clade docs
• .machine_readable/CLADE.a2ml · .machine_readable/anchors/ANCHOR.a2ml — gv-clade-index identity
• .machine_readable/agent_instructions/{coverage,debt,methodology}.a2ml — per-aspect agent guidance
• .machine_readable/integrations/{verisimdb,proven,vexometer,feedback-o-tron}.a2ml — partner contracts

Current state (2026-06-01)

• Version: 2.5.0 (CRG C / Beta)
• Tests: 282+ passing across unit / property / e2e / aspect / integration tiers
• Languages: 49 (.thy Isabelle + .v Coq added in v2.1.0)
• Categories: 25 weak-point types (PA001–PA025 spanning resource exhaustion, crypto misuse, proof drift, supply-chain, input-boundary, mutation-gap)
• Last cleanup: 2026-06-01 — baseline-red corrective maintenance landed via #94/#97; rsr-template gap fills via #96; dependabot bumps via #93
• Chapel Wave 2: chapel-multilocale (7th strict gate) landed via #99 — mass-panic --numLocales=2 over gasnet+smp single-host oversubscribed, source-built + cached. See Chapel-Metalayer for the full toolchain story.

Active milestones

• v2.2.0 — VeriSimDB Integration: hexad persistence for Patch Bridge mitigation registry, historical trend queries via VCL
• v2.4.0 — Patch Bridge Phase 2: hexad lifecycle persistence, auto-retire, upstream health monitoring, multi-lockfile support (beyond Cargo.lock)
• v2.5.x — Detection coverage: long-tail categories — test-context awareness, JIT context, FFI subtyping, attack-surface widening completions

See ROADMAP.adoc for the full list.

Estate context

panic-attack is part of the hyperpolymath ecosystem:

• gitbot-fleet consumes findings via panicbot translator (PA021/PA022/PA023/PA024/PA025 wired)
• hypatia consumes JSON AssailReport via Elixir rules (Logtalk export removed 2026-04-12)
• VeriSimDB persists scan octads + hexads via REST (ureq v3 / verisim-panic-api on Fly.io)
• echo-types / kategoria / typed-wasm — adjacent verification stack
• standards — reusable CI workflows (rust-ci-reusable.yml + governance)

Reporting + support

• Bugs: GitHub issues
• Security: see SECURITY.md — j.d.a.jewell@open.ac.uk
• Discussions: GitHub discussions