chore: M5 CI/Workflow Sweep - final synchronisation

Author: hyperpolymath

Cargo.lock

@@ -1,29 +1,29 @@
 // SPDX-License-Identifier: PMPL-1.0-or-later
 // Template: QUICKSTART-MAINTAINER.adoc — packaging, deploying, and maintaining
-// Replace panic-attacker, {{PACKAGE_NAME}}, {{DEPS}} with actuals
-= panic-attacker — Quick Start for Platform Maintainers
+// Replace panic-attacker, panic-attack, rustc, cargo, mold, pkg-config with actuals
+= panic-attack — Quick Start for Platform Maintainers
 :toc:
 :toclevels: 2
 
 == Overview
 
-This guide covers packaging, deploying, and maintaining panic-attacker for
+This guide covers packaging, deploying, and maintaining panic-attack for
 distribution on your platform.
 
 == Runtime Dependencies
 
-{{DEPS}}
+rustc, cargo, mold, pkg-config
 
 == Build from Source
 
 [source,bash]
 ----
-git clone https://github.com/hyperpolymath/panic-attacker.git
-cd panic-attacker
+git clone https://github.com/hyperpolymath/panic-attack.git
+cd panic-attack
 just build-release
 ----
 
-Output: `{{BUILD_OUTPUT_PATH}}`
+Output: `target/release/panic-attack`
 
 == Packaging
 
@@ -46,7 +46,7 @@ nix build
 [source,bash]
 ----
 just stapeln-export    # Generates Containerfile
-podman build -t panic-attacker .
+podman build -t panic-attack .
 ----
 
 === Manual Package
@@ -65,10 +65,10 @@ Files installed:
 | `$PREFIX/bin/`
 | Executables
 
-| `$PREFIX/share/{{PACKAGE_NAME}}/`
+| `$PREFIX/share/panic-attack/`
 | Data files, assets
 
-| `$PREFIX/share/doc/{{PACKAGE_NAME}}/`
+| `$PREFIX/share/doc/panic-attack/`
 | Documentation
 
 | `$PREFIX/share/applications/`
@@ -80,9 +80,9 @@ Files installed:
 
 == Configuration
 
-Default config location: `$XDG_CONFIG_HOME/{{PACKAGE_NAME}}/config.toml`
+Default config location: `$XDG_CONFIG_HOME/panic-attack/config.toml`
 
-Fallback: `$HOME/.config/{{PACKAGE_NAME}}/config.toml`
+Fallback: `$HOME/.config/panic-attack/config.toml`
 
 == Health Checks
 
@@ -102,13 +102,13 @@ just build-release
 just install --prefix=/usr/local
 ----
 
-Or via OPSM: `opsm update {{PACKAGE_NAME}}`
+Or via OPSM: `opsm update panic-attack`
 
 == Security Notes
 
 * License: PMPL-1.0-or-later (Palimpsest License)
 * All dependencies SHA-pinned
-* `panic-attacker` scan results: link:INSTALL-SECURITY-REPORT.adoc[]
+* `panic-attack` scan results: link:INSTALL-SECURITY-REPORT.adoc[]
 * OpenSSF Scorecard: see badge in README
 
 == Multi-Instance Deployment
@@ -117,8 +117,8 @@ For deploying multiple instances (e.g., different users or tenants):
 
 [source,bash]
 ----
-just install --prefix=/opt/{{PACKAGE_NAME}}-instance1 --config=/etc/{{PACKAGE_NAME}}/instance1.toml
-just install --prefix=/opt/{{PACKAGE_NAME}}-instance2 --config=/etc/{{PACKAGE_NAME}}/instance2.toml
+just install --prefix=/opt/panic-attack-instance1 --config=/etc/panic-attack/instance1.toml
+just install --prefix=/opt/panic-attack-instance2 --config=/etc/panic-attack/instance2.toml
 ----
 
 Each instance has isolated config, data, and logs.

QUICKSTART-MAINTAINER.adoc

@@ -129,6 +129,50 @@ Identified as an estate-wide gap in the 2026-04-05 KRL-stack CRG blitz audit.
 * [x] Detect Elixir test suites without `ExUnitProperties` or StreamData for property-based testing — PA025
 * [ ] Emit `mutation_gap` weak-point for any module with >80% line coverage but zero mutation score (requires runtime coverage data — deferred)
 
+== v2.5.5 -- 007 False Positive Reduction
+
+Based on the 007 repository analysis (2026-04-15), this milestone targets
+specific false positive patterns that currently inflate weak-point counts.
+
+=== `comment_analysis` — Distinguish code from documentation
+
+Panic-attack currently flags comments that mention "unsafe" or document
+security aspects, leading to false positives in security tests.
+
+* [ ] Parse Rust/JS/Python/Julia comment syntax to exclude from unsafe detection
+* [ ] Add `// panic-attack: accepted` comment parser for explicit suppression
+* [ ] Create comment-only weak-point category for documentation review
+* [ ] Improve Zig comment parsing to reduce build.zig false positives
+
+=== `test_context` — Test vs production code distinction
+
+Test files should not be held to the same safety standards as production code,
+but panic-attack currently applies uniform rules.
+
+* [ ] Detect test modules (`#[cfg(test)]`, `test "..."`, `ExUnit.Case`) across languages
+* [ ] Suppress PanicPath findings in test-only code (unwrap/expect acceptable in tests)
+* [ ] Add test/production context to weak-point metadata
+* [ ] Create test-specific suppression patterns for HTTP URLs and other test data
+
+=== `ffi_refinement` — Better FFI boundary detection
+
+Current FFI detection flags build system files and legitimate ABI boundaries.
+
+* [ ] Distinguish `@import("std")` from `@cImport` in Zig analyzer
+* [ ] Recognize build.zig as build-system context, not FFI usage
+* [ ] Cross-reference with `audits/audit-ffi-unsafe.md` for pre-approved boundaries
+* [ ] Add FFI category subtyping (BuildSystem, RuntimeABI, TestMock)
+
+=== `jit_context` — JIT compilation awareness
+
+JIT compilation inherently requires unsafe code for function pointer manipulation,
+but panic-attack flags these as generic UnsafeCode findings.
+
+* [ ] Detect Cranelift/LLVM JIT compilation contexts
+* [ ] Add JIT-specific unsafe suppression for transmute patterns
+* [ ] Document JIT safety invariants in weak-point metadata
+* [ ] Create JIT category for specialized analysis
+
 == v3.0.0 -- Distributed Scanning
 
 * [x] Assemblyline batch scanning with rayon parallelism

ROADMAP.adoc

@@ -11,10 +11,24 @@ use panic_attack::types::Language;
 /// Benchmark language detection from file extension
 fn bench_language_detect(c: &mut Criterion) {
     let extensions = vec![
-        "main.rs", "lib.rs", "app.py", "index.js", "server.ex",
-        "types.idr", "Main.hs", "config.ncl", "build.zig", "test.gleam",
-        "script.sh", "model.jl", "style.css", "unknown.xyz",
-        "Component.res", "parser.ml", "proof.lean", "rules.lgt",
+        "main.rs",
+        "lib.rs",
+        "app.py",
+        "index.js",
+        "server.ex",
+        "types.idr",
+        "Main.hs",
+        "config.ncl",
+        "build.zig",
+        "test.gleam",
+        "script.sh",
+        "model.jl",
+        "style.css",
+        "unknown.xyz",
+        "Component.res",
+        "parser.ml",
+        "proof.lean",
+        "rules.lgt",
     ];
 
     c.bench_function("language_detect_18_files", |b| {
@@ -29,10 +43,18 @@ fn bench_language_detect(c: &mut Criterion) {
 /// Benchmark language family classification
 fn bench_language_family(c: &mut Criterion) {
     let languages = vec![
-        Language::Rust, Language::Elixir, Language::Gleam,
-        Language::ReScript, Language::Idris, Language::Zig,
-        Language::Haskell, Language::Python, Language::JavaScript,
-        Language::Shell, Language::Julia, Language::Nickel,
+        Language::Rust,
+        Language::Elixir,
+        Language::Gleam,
+        Language::ReScript,
+        Language::Idris,
+        Language::Zig,
+        Language::Haskell,
+        Language::Python,
+        Language::JavaScript,
+        Language::Shell,
+        Language::Julia,
+        Language::Nickel,
     ];
 
     c.bench_function("language_family_12_langs", |b| {