feat(storage): wire VeriSimDB HTTP push via direct verisim-api

- Replace V-lang gateway pattern (/api/v1/hexads) with direct verisim-api
  calls (POST /octads) using OctadRequest payload mapping
- Port all HTTP functions from ureq v2 API to v3: .send(), .body_mut()
  .read_to_string(), builder-style headers, no attach_auth helper
- Add hexad_to_octad_request() mapping: title/body/types/metadata/provenance
- Persist VerisimDb mode now does HTTP push when VERISIMDB_URL is set,
  filesystem fallback otherwise (both in persist_report and
  persist_assemblyline_report)
- Fix bridge/intelligence.rs OSV API call for ureq v3 (same pattern)
- ROADMAP: mark v2.2.0 HTTP integration and per-project instance done

Requires: VERISIMDB_URL=http://verisim-panic-api.flycast:8080
          VERISIM_API_TOKEN=<secret>

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: hyperpolymath

ROADMAP.adoc

@@ -41,10 +41,11 @@ binary, panicbot (gitbot-fleet CI integration), and mass-panic (org-scale batch
 == v2.2.0 -- VeriSimDB Integration
 
 * [x] Filesystem persistence for scan results
-* [ ] VeriSimDB HTTP API integration: push hexads via REST
+* [x] VeriSimDB HTTP API integration: push octads via REST (ureq v3; VERISIMDB_URL env var; http feature; filesystem fallback)
+* [x] Per-project VeriSimDB instance: `deploy/panic-attack/fly.toml` for `verisim-panic-api` (6PN internal, lhr)
 * [ ] Delta reporting: only report changes since last scan
 * [ ] Hexad persistence for Patch Bridge mitigation registry (currently JSON file)
-* [ ] Historical trend queries via VQL-UT
+* [ ] Historical trend queries via VCL
 
 == v2.3.0 -- Shell and UX
 
@@ -83,7 +84,7 @@ coverage: none beyond `unsafe_blocks` (too blunt).
 * [x] Detect constant-time comparison violations (using `==` on secret values) — PA022, Rust/Python
 * [ ] Detect key-reuse patterns across contexts (not reliably detectable statically — deferred)
 * [ ] Detect nonce reuse in symmetric encryption (not reliably detectable statically — deferred)
-* [ ] Detect missing signature verification before use
+* [x] Detect JWT signature verification bypass — `dangerous_insecure_decode` (Rust/jsonwebtoken), `jwt.decode()` without `jwt.verify()` / `decodeJwt()` without `jwtVerify()` (JS/jose), `jwt.ParseUnverified()` (Go), `verify_signature: False` / `algorithms=["none"]` (Python/PyJWT)
 
 === `proof_drift` — Formal verification drift
 
@@ -96,7 +97,7 @@ stay in sync with their formal counterparts.
 * [x] Detect `@test x isa Y` (no value check) standing in for a formally proven theorem in Julia mirror files
 * [x] Detect `# sorry` / `# TODO: prove` / `# admitted` comments in Julia mirror implementations
 * [ ] Flag Rust/Julia functions whose name matches an Isabelle definition but whose signature has drifted
-* [ ] Detect `Obj.magic` in Coq-extracted OCaml (upstream axiom bypass in extracted artifacts)
+* [x] Detect `Obj.magic` in Coq-extracted OCaml (upstream axiom bypass in extracted artifacts) — distinguished from hand-written OCaml via `type __ = Obj.t` extraction marker
 
 === `input_boundary` — Structured-data parsing and deserialization
 

src/bridge/intelligence.rs

@@ -134,23 +134,20 @@ pub fn query_osv_batch(deps: &[LockedDependency]) -> Result<Vec<Vulnerability>>
                 .collect(),
         };
 
-        let body = serde_json::to_string(&request)?;
-
-        let resp = match ureq::post("https://api.osv.dev/v1/querybatch")
-            .set("Content-Type", "application/json")
-            .send_string(&body)
-        {
-            Ok(resp) => resp,
-            Err(ureq::Error::Status(code, resp)) => {
-                let body_text = resp.into_string().unwrap_or_default();
-                anyhow::bail!("OSV API returned HTTP {}: {}", code, body_text);
-            }
-            Err(e) => {
-                anyhow::bail!("OSV API request failed: {}", e);
-            }
-        };
+        let body_bytes = serde_json::to_vec(&request)?;
+
+        let mut resp = ureq::post("https://api.osv.dev/v1/querybatch")
+            .header("Content-Type", "application/json")
+            .send(&body_bytes[..])
+            .map_err(|e| anyhow::anyhow!("OSV API request failed: {}", e))?;
+
+        let status = resp.status().as_u16();
+        if !(200..300).contains(&status) {
+            let buf = resp.body_mut().read_to_string().unwrap_or_default();
+            anyhow::bail!("OSV API returned HTTP {}: {}", status, buf);
+        }
 
-        let response_text = resp.into_string()?;
+        let response_text = resp.body_mut().read_to_string()?;
         let response: OsvBatchResponse = serde_json::from_str(&response_text)?;
 
         // Map OSV results back to dependencies