feat(bridge): implement Patch Bridge MVP — CVE triage with reachability analysis

Adds the `panic-attack bridge` subcommand family (behind --features http):

- `bridge triage <dir>` — full CVE assessment:
  1. Parse Cargo.lock for all dependencies
  2. Query OSV API (api.osv.dev) for known vulnerabilities
  3. Scan .rs files for imports to detect phantom dependencies
  4. Classify: Mitigable / Unmitigable / Informational

- `bridge status <dir>` — view mitigation registry

Key capability: phantom dependency detection. If a crate is in
Cargo.toml but never imported in any .rs file, the CVE is classified
as Informational with action "remove unused dependency." Validated
against Hypatia (octocrab/rsa) and VeriSimDB (lru, bincode, paste).

New modules:
  src/bridge/mod.rs          — orchestrator, core types, BridgeReport
  src/bridge/lockfile.rs     — Cargo.lock parser
  src/bridge/intelligence.rs — OSV API batch queries
  src/bridge/reachability.rs — import scanning for phantom dep detection
  src/bridge/classify.rs     — three-way classification engine
  src/bridge/registry.rs     — mitigation lifecycle registry

14 unit tests across all modules. Zero compiler warnings.
JSON output matches RSR template static-analysis-gate.yml schema.

Design document: docs/patch-bridge-design.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

.claude/CLAUDE.md

@@ -56,6 +56,13 @@ src/
 ├── abduct/              # Isolation + time-skew
 ├── adjudicate/          # Campaign verdict aggregation
 ├── axial/               # Reaction observation
+├── bridge/              # Patch Bridge — CVE mitigation lifecycle (feature: http)
+│   ├── mod.rs           # Triage orchestrator, core types (BridgeReport, AssessedCve)
+│   ├── lockfile.rs      # Cargo.lock parser
+│   ├── intelligence.rs  # OSV API batch queries (CVE feed)
+│   ├── reachability.rs  # Import scanning for phantom dependency detection
+│   ├── classify.rs      # Three-way classification: Mitigable/Unmitigable/Informational
+│   └── registry.rs      # Mitigation lifecycle registry (JSON persistence)
 ├── a2ml/                # AI manifest protocol
 ├── panll/               # PanLL event-chain export
 ├── storage/             # Filesystem + VerisimDB persistence
@@ -66,8 +73,9 @@ src/
 ## Build & Test
 
 ```bash
-cargo build --release
-cargo test
+cargo build --release --features http    # With Patch Bridge (needs network)
+cargo build --release                    # Without Patch Bridge
+cargo test --features http               # All tests including bridge
 
 # Run scan:
 panic-attack assail /path/to/repo
@@ -96,6 +104,58 @@ The kanren module provides:
 - **Forward chaining**: Derives new vulnerability facts from rules applied to existing facts
 - **Backward queries**: Given a vulnerability type, finds which files could cause it
 
+## Patch Bridge (feature: `http`)
+
+CVE mitigation lifecycle engine. Requires `--features http` at build time.
+Design document: `docs/patch-bridge-design.md`
+
+### Subcommands
+
+```bash
+# Full CVE triage with reachability analysis
+panic-attack bridge triage /path/to/project
+panic-attack bridge triage /path/to/project --output report.json
+panic-attack bridge triage /path/to/project --register  # update mitigation registry
+panic-attack bridge triage /path/to/project --offline    # skip API calls
+
+# View mitigation registry
+panic-attack bridge status /path/to/project
+```
+
+### How it works
+
+1. **Parse Cargo.lock** — extract all dependencies with versions
+2. **Query OSV API** — batch query api.osv.dev for known vulnerabilities
+3. **Reachability scan** — grep .rs files for imports of vulnerable crates
+4. **Classify** — Mitigable (fix available) / Unmitigable (no fix) / Informational (phantom dep)
+5. **Report** — JSON output compatible with RSR template static-analysis-gate.yml
+
+### Key capability: phantom dependency detection
+
+If a crate is in Cargo.toml but never imported in any .rs file, it's a "phantom" dependency.
+The CVE is compiled into the binary but unreachable. Classification: Informational.
+Action: remove the unused dependency. This was validated against Hypatia (octocrab/rsa).
+
+### Mitigation registry
+
+Active mitigations tracked at `.machine_readable/patch-bridge/registry.json`.
+Lifecycle: Pending → Active → Retiring → Retired / AcceptedRisk.
+Phase 2 adds VeriSimDB hexad persistence and auto-retire on upstream fix.
+
+### Output format
+
+```json
+{
+  "schema_version": "0.1.0",
+  "total_dependencies": 486,
+  "cves": [...],
+  "mitigated": 1,
+  "unmitigable": 0,
+  "concatenative": 0,
+  "informational": 2
+}
+```
+
 ## Deployment Modes
 
 Three self-contained modes — none requires the others:

src/bridge/classify.rs

@@ -0,0 +1,205 @@
+// SPDX-License-Identifier: PMPL-1.0-or-later
+
+//! Three-way CVE classification engine.
+//!
+//! Combines vulnerability data with reachability evidence to produce
+//! one of three classifications:
+//!
+//! - **Mitigable**: A fix exists (semver-compatible or manual upgrade)
+//! - **Unmitigable**: No fix available and dependency is reachable
+//! - **Informational**: Dependency is phantom or unreachable
+//!
+//! Phase 2 will add **Concatenative** classification for CVE×CVE
+//! interactions across shared trust boundaries.
+
+use super::{Classification, ReachabilityEvidence, ReachabilityStatus, Vulnerability};
+
+/// Classify a vulnerability given its reachability evidence.
+///
+/// Returns (classification, rationale, suggested_action).
+pub fn classify(
+    vuln: &Vulnerability,
+    evidence: &ReachabilityEvidence,
+) -> (Classification, String, String) {
+    match evidence.status {
+        // ─── Phantom dependency: declared but never imported ───
+        ReachabilityStatus::Phantom => (
+            Classification::Informational,
+            format!(
+                "{} {} is declared in Cargo.toml but never imported in any .rs file. \
+                 The vulnerable code is compiled but unreachable. \
+                 Removing the dependency from Cargo.toml eliminates this CVE entirely.",
+                vuln.package, vuln.version
+            ),
+            format!("Remove unused dependency `{}` from Cargo.toml", vuln.package),
+        ),
+
+        // ─── Unreachable: imported but no taint flow (Phase 2) ───
+        ReachabilityStatus::Unreachable => (
+            Classification::Informational,
+            format!(
+                "{} {} is imported but no data flow reaches the vulnerable code path. \
+                 (Note: Phase 2 kanren taint analysis will provide higher confidence.)",
+                vuln.package, vuln.version
+            ),
+            "Monitor — no immediate action required".to_string(),
+        ),
+
+        // ─── Reachable: imported and potentially exploitable ───
+        ReachabilityStatus::Reachable => classify_reachable(vuln, evidence),
+    }
+}
+
+/// Classify a reachable vulnerability as mitigable or unmitigable.
+fn classify_reachable(
+    vuln: &Vulnerability,
+    evidence: &ReachabilityEvidence,
+) -> (Classification, String, String) {
+    let import_summary = if evidence.import_sites.len() <= 3 {
+        evidence
+            .import_sites
+            .iter()
+            .map(|s| format!("{}:{}", s.file.display(), s.line))
+            .collect::<Vec<_>>()
+            .join(", ")
+    } else {
+        format!(
+            "{} and {} more",
+            evidence
+                .import_sites
+                .iter()
+                .take(2)
+                .map(|s| format!("{}:{}", s.file.display(), s.line))
+                .collect::<Vec<_>>()
+                .join(", "),
+            evidence.import_sites.len() - 2
+        )
+    };
+
+    if vuln.fixed_versions.is_empty() {
+        // No fix available — unmitigable
+        (
+            Classification::Unmitigable,
+            format!(
+                "{} {} has {} ({}) with NO upstream fix available. \
+                 The dependency is imported at: {}. \
+                 The vulnerable code is reachable in this project.",
+                vuln.package,
+                vuln.version,
+                vuln.id,
+                vuln.summary,
+                import_summary
+            ),
+            format!(
+                "Replace `{}` with an alternative or accept the risk. \
+                 No version upgrade can fix this.",
+                vuln.package
+            ),
+        )
+    } else if vuln.semver_fix_available {
+        // Semver-compatible fix — easiest mitigation
+        let fix_version = vuln.fixed_versions.first().unwrap();
+        (
+            Classification::Mitigable,
+            format!(
+                "{} {} has {} ({}). \
+                 A semver-compatible fix is available in version {}. \
+                 Run `cargo update {}` to apply.",
+                vuln.package, vuln.version, vuln.id, vuln.summary,
+                fix_version, vuln.package
+            ),
+            format!("Run `cargo update {}`", vuln.package),
+        )
+    } else {
+        // Fix exists but requires major version bump
+        let fix_versions = vuln.fixed_versions.join(", ");
+        (
+            Classification::Mitigable,
+            format!(
+                "{} {} has {} ({}). \
+                 Fix available in version(s) {} but requires a breaking upgrade. \
+                 The dependency is imported at: {}.",
+                vuln.package, vuln.version, vuln.id, vuln.summary,
+                fix_versions, import_summary
+            ),
+            format!(
+                "Upgrade `{}` to {} in Cargo.toml (breaking change — review API differences)",
+                vuln.package, fix_versions
+            ),
+        )
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::bridge::{ImportSite, SeverityLabel, SourceTier};
+    use std::path::PathBuf;
+
+    fn mock_vuln(has_fix: bool, semver_fix: bool) -> Vulnerability {
+        Vulnerability {
+            id: "RUSTSEC-2026-0001".to_string(),
+            cve: Some("CVE-2026-00001".to_string()),
+            summary: "Test vulnerability".to_string(),
+            package: "test-crate".to_string(),
+            version: "1.0.0".to_string(),
+            severity: Some(7.5),
+            severity_label: SeverityLabel::High,
+            fixed_versions: if has_fix {
+                vec!["1.0.1".to_string()]
+            } else {
+                vec![]
+            },
+            semver_fix_available: semver_fix,
+            source_tier: SourceTier::Tier1,
+            references: vec![],
+        }
+    }
+
+    fn phantom_evidence() -> ReachabilityEvidence {
+        ReachabilityEvidence {
+            is_imported: false,
+            import_sites: vec![],
+            status: ReachabilityStatus::Phantom,
+        }
+    }
+
+    fn reachable_evidence() -> ReachabilityEvidence {
+        ReachabilityEvidence {
+            is_imported: true,
+            import_sites: vec![ImportSite {
+                file: PathBuf::from("src/main.rs"),
+                line: 5,
+                statement: "use test_crate::Thing;".to_string(),
+            }],
+            status: ReachabilityStatus::Reachable,
+        }
+    }
+
+    #[test]
+    fn test_phantom_is_informational() {
+        let (cls, _, action) = classify(&mock_vuln(false, false), &phantom_evidence());
+        assert_eq!(cls, Classification::Informational);
+        assert!(action.contains("Remove"));
+    }
+
+    #[test]
+    fn test_reachable_no_fix_is_unmitigable() {
+        let (cls, _, _) = classify(&mock_vuln(false, false), &reachable_evidence());
+        assert_eq!(cls, Classification::Unmitigable);
+    }
+
+    #[test]
+    fn test_reachable_semver_fix_is_mitigable() {
+        let (cls, _, action) = classify(&mock_vuln(true, true), &reachable_evidence());
+        assert_eq!(cls, Classification::Mitigable);
+        assert!(action.contains("cargo update"));
+    }
+
+    #[test]
+    fn test_reachable_breaking_fix_is_mitigable() {
+        let (cls, _, action) = classify(&mock_vuln(true, false), &reachable_evidence());
+        assert_eq!(cls, Classification::Mitigable);
+        assert!(action.contains("breaking change"));
+    }
+}