@@ -66,6 +66,65 @@ binary, panicbot (gitbot-fleet CI integration), and mass-panic (org-scale batch
6666* [ ] Upstream health monitoring (PipeWire, ReScript, UTF-8 tracking)
6767* [ ] Multi-lockfile support (beyond Cargo.lock: package-lock.json, mix.lock, etc.)
6868
69+ == v2.5.0 -- Attack Surface Widening
70+
71+ The current weak-point categories cover generic resource-exhaustion patterns
72+ (Memory, CPU, Disk, Network, Concurrency) but miss the estate's distinctive
73+ risks. This milestone adds five new detection categories.
74+
75+ === `crypto_misuse` — Cryptographic primitive misuse
76+
77+ The estate uses SHA, Sodium, Ed25519, CBOR proofs, and hash-chain integrity
78+ throughout VerisimCore, Hypatia attestations, and the Patch Bridge. Current
79+ coverage: none beyond `unsafe_blocks` (too blunt).
80+
81+ * [ ] Detect weak-hash-for-security patterns (MD5/SHA1 in security contexts)
82+ * [ ] Detect constant-time comparison violations (using `==` on secret values)
83+ * [ ] Detect key-reuse patterns across contexts
84+ * [ ] Detect nonce reuse in symmetric encryption
85+ * [ ] Detect missing signature verification before use
86+
87+ === `proof_drift` — Formal verification drift
88+
89+ The estate maintains Isabelle theories, Idris2 ABI definitions, and Lean4/Agda
90+ proofs alongside Julia/Rust mirrors. Nothing currently checks that the mirrors
91+ stay in sync with their formal counterparts.
92+
93+ * [ ] Detect `sorry` / `Admitted` / `believe_me` / `unsafeCoerce` / `Obj.magic` in formal files (`.thy`, `.idr`, `.lean`, `.agda`) — these are the estate's banned dangerous patterns
94+ * [ ] Detect `@assert` / `@test` standing in for a formally proven theorem in Julia mirror files
95+ * [ ] Flag Rust/Julia functions whose name matches an Isabelle definition but whose signature has drifted
96+ * [ ] Detect `# TODO: prove` / `-- sorry` comments in mirror implementations
97+
98+ === `input_boundary` — Structured-data parsing and deserialization
99+
100+ Unvalidated deserialization paths at CBOR proof blobs, A2ML manifest parsing,
101+ VeriSimDB scan ingestion (DispatchBridge), and JSON from panic-attack itself.
102+
103+ * [ ] Detect unchecked CBOR / MessagePack deserialization (`serde` without validation)
104+ * [ ] Detect A2ML parsing without `try`/`catch` boundary
105+ * [ ] Detect `JSON.parse` / `JSON3.read` calls not wrapped in error-handling
106+ * [ ] Track taint from external file reads to trust-sensitive sinks (store operations, proof evaluation)
107+
108+ === `supply_chain` — Dependency and build integrity
109+
110+ SHA-pinned GitHub Actions are covered but not Julia `Manifest.toml` hash
111+ verification, Nix flake input pinning, or Cargo lock coherence checks.
112+
113+ * [ ] Flag `Manifest.toml` present without `[deps]` hash entries (Julia)
114+ * [ ] Flag `flake.nix` inputs without locked `narHash` (Nix)
115+ * [ ] Flag `Cargo.toml` git dependencies without explicit `rev =`
116+ * [ ] Detect `Cargo.lock` absent when `Cargo.toml` has `[lib]` or `[[bin]]`
117+ * [ ] Flag unpinned `deno.json` import map entries (bare specifiers without version)
118+
119+ === `mutation` — Mutation and chaos coverage gaps
120+
121+ Identified as an estate-wide gap in the 2026-04-05 KRL-stack CRG blitz audit.
122+
123+ * [ ] Detect test suites with zero mutation-test configuration (no `cargo-mutants`, `mutagen`, etc.)
124+ * [ ] Flag `@testset` blocks with no assertion diversity (all `@test x isa Y` style, no value checks)
125+ * [ ] Detect Elixir test suites without `ExUnitProperties` or StreamData for property-based testing
126+ * [ ] Emit `mutation_gap` weak-point for any module with >80% line coverage but zero mutation score
127+
69128== v3.0.0 -- Distributed Scanning
70129
71130* [x] Assemblyline batch scanning with rayon parallelism
0 commit comments