feat(v2.5.0): input_boundary (PA024) + mutation gap (PA025)

Add InputBoundary weak point category (PA024): serde_cbor/ciborium/
rmp_serde CBOR+MessagePack calls in Rust; JSON.parse without try/catch
in JavaScript; JSON3.read without error handling in Julia. Taint-tracking
and A2ML boundary detection deferred to kanren phase.

Add MutationGap weak point category (PA025): Rust projects with test
modules but no cargo-mutants config; Julia @testset blocks with only
type-check assertions (no value diversity); Elixir test files without
ExUnitProperties or StreamData. Coverage+mutation-score check deferred
— requires runtime coverage data.

Completes v2.5.0 Attack Surface Widening milestone. 5 categories added
total (PA021–PA025). 25 categories, 49 languages.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: hyperpolymath

CHANGELOG.md

@@ -1,5 +1,41 @@
 # Changelog
 
+## [2.5.0] - 2026-04-12
+
+### Added
+- **InputBoundary category (PA024)**: New weak point category detecting unguarded structured-data
+  parsing at trust boundaries.
+  - **Rust**: `serde_cbor::from_slice`/`from_reader`, `ciborium::de::from_reader`,
+    `rmp_serde::from_slice`/`from_read` — CBOR/MessagePack deserialization without a
+    validation layer (Medium). All five crate patterns flagged.
+  - **JavaScript/ReScript**: `JSON.parse(` in files without any `try`/`catch` context (High).
+    Files that do wrap their JSON.parse in try/catch are not flagged.
+  - **Julia**: `JSON3.read(` and `JSON.parse(` without error handling context (High).
+  - Taint tracking from external reads to trust-sensitive sinks deferred to kanren phase.
+  - A2ML boundary detection deferred — requires cross-file analysis.
+- **PA024 → panicbot**: InputBoundary mapped to `static-analysis/input-boundary`, 0.72
+  confidence, Control tier, Partial fixability.
+- **MutationGap category (PA025)**: New weak point category detecting mutation and chaos
+  coverage gaps in test suites.
+  - **Rust** (project-level): Tests present (`mod tests` / `#[cfg(test)]`) but no
+    `cargo-mutants` config in `Cargo.toml` or `mutants.toml` — mutation tooling absent (Low).
+  - **Julia** (per-file): `@testset` blocks where every `@test` is a type-check assertion
+    (`@test … isa …`) with no value assertions — no assertion diversity (Medium).
+  - **Elixir** (per-file): Test files using `ExUnit.Case` without importing `ExUnitProperties`
+    or `StreamData` for property-based testing (Low).
+  - Coverage-plus-mutation-score check deferred — requires runtime coverage data.
+- **PA025 → panicbot**: MutationGap mapped to `static-analysis/mutation-gap`, 0.80
+  confidence, Substitute tier, Partial fixability.
+- **Idris2 ABI completeness**: `PatternCompleteness.idr` updated — InputBoundary (Rust/JS/Julia)
+  and MutationGap (Rust/Julia/Elixir) added to `WPCategory` with `detectorsFor` entries.
+
+### Changed
+- **Category count**: 23 → 25 (added InputBoundary, MutationGap)
+- **v2.5.0 milestone**: All tractable items complete. Two deferred items each for
+  `input_boundary` (taint+A2ML) and `mutation` (coverage-score), and three for
+  `crypto_misuse` (key-reuse, nonce-reuse, sig-verify) marked as statically undetectable
+  or requiring runtime data.
+
 ## [2.3.0] - 2026-04-12
 
 ### Added

Cargo.lock

@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: PMPL-1.0-or-later
 [package]
 name = "panic-attack"
-version = "2.3.0"
+version = "2.5.0"
 edition = "2021"
 rust-version = "1.85.0"
 authors = ["Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>"]

Cargo.toml

@@ -103,10 +103,10 @@ stay in sync with their formal counterparts.
 Unvalidated deserialization paths at CBOR proof blobs, A2ML manifest parsing,
 VeriSimDB scan ingestion (DispatchBridge), and JSON from panic-attack itself.
 
-* [ ] Detect unchecked CBOR / MessagePack deserialization (`serde` without validation)
-* [ ] Detect A2ML parsing without `try`/`catch` boundary
-* [ ] Detect `JSON.parse` / `JSON3.read` calls not wrapped in error-handling
-* [ ] Track taint from external file reads to trust-sensitive sinks (store operations, proof evaluation)
+* [x] Detect unchecked CBOR / MessagePack deserialization (`serde_cbor`/`ciborium`/`rmp_serde` in Rust) — PA024
+* [ ] Detect A2ML parsing without `try`/`catch` boundary (deferred — requires cross-file taint)
+* [x] Detect `JSON.parse` / `JSON3.read` calls not wrapped in error-handling (JS/Julia) — PA024
+* [ ] Track taint from external file reads to trust-sensitive sinks (kanren-phase, deferred)
 
 === `supply_chain` — Dependency and build integrity
 
@@ -123,10 +123,10 @@ verification, Nix flake input pinning, or Cargo lock coherence checks.
 
 Identified as an estate-wide gap in the 2026-04-05 KRL-stack CRG blitz audit.
 
-* [ ] Detect test suites with zero mutation-test configuration (no `cargo-mutants`, `mutagen`, etc.)
-* [ ] Flag `@testset` blocks with no assertion diversity (all `@test x isa Y` style, no value checks)
-* [ ] Detect Elixir test suites without `ExUnitProperties` or StreamData for property-based testing
-* [ ] Emit `mutation_gap` weak-point for any module with >80% line coverage but zero mutation score
+* [x] Detect test suites with zero mutation-test configuration (no `cargo-mutants` in Rust) — PA025
+* [x] Flag `@testset` blocks with no assertion diversity (all `@test x isa Y`, no value checks) — PA025
+* [x] Detect Elixir test suites without `ExUnitProperties` or StreamData for property-based testing — PA025
+* [ ] Emit `mutation_gap` weak-point for any module with >80% line coverage but zero mutation score (requires runtime coverage data — deferred)
 
 == v3.0.0 -- Distributed Scanning
 

ROADMAP.adoc

@@ -144,10 +144,10 @@ crossLangAlwaysApplied : (lang : Lang) -> CrossLangChecked lang
 crossLangAlwaysApplied _ = MkCrossLangChecked
 
 -- ═══════════════════════════════════════════════════════════════════════
--- WeakPointCategory enumeration (mirrors src/types.rs, 23 categories)
+-- WeakPointCategory enumeration (mirrors src/types.rs, 25 categories)
 -- ═══════════════════════════════════════════════════════════════════════
 
-||| All 23 weak point categories detectable by the scanner.
+||| All 25 weak point categories detectable by the scanner.
 public export
 data WPCategory
   = UncheckedAllocation
@@ -183,6 +183,15 @@ data WPCategory
   ||| Manifest.toml without hash entries, flake.nix without narHash,
   ||| deno.json unpinned specifiers. Detected in Rust, Julia, Nix, JavaScript.
   | SupplyChain
+  ||| Structured-data parsing boundary: unchecked CBOR/MessagePack
+  ||| deserialization (serde_cbor, ciborium, rmp_serde in Rust), JSON.parse
+  ||| without try-catch (JavaScript), JSON3.read without error handling (Julia).
+  | InputBoundary
+  ||| Mutation and chaos coverage gap: test suites with no mutation-test
+  ||| tooling (no cargo-mutants config in Rust), no property-based testing
+  ||| in Elixir (ExUnitProperties/StreamData absent), or Julia @testset blocks
+  ||| with only type-check assertions and no value diversity.
+  | MutationGap
 
 ||| Witness that a detection rule exists for a weak point category.
 ||| Each variant names the language(s) whose analyzer detects it.
@@ -192,7 +201,7 @@ data HasDetector : WPCategory -> Type where
   DetectedBy : (langs : List Lang) -> HasDetector cat
 
 ||| Every weak point category has at least one detector.
-||| Total: Idris2 verifies all 23 constructors are covered.
+||| Total: Idris2 verifies all 25 constructors are covered.
 ||| The list of detecting languages mirrors the actual pattern
 ||| matching code in analyzer.rs.
 public export
@@ -220,6 +229,8 @@ detectorsFor UnsafeTypeCoercion   = DetectedBy [OCaml, Haskell, DLang, Nim]
 detectorsFor ProofDrift           = DetectedBy [Idris, Lean, Agda, Isabelle, Coq, Julia]
 detectorsFor CryptoMisuse         = DetectedBy [Rust, Python, JavaScript, Go, Elixir]
 detectorsFor SupplyChain          = DetectedBy [Rust, Julia, Nix, JavaScript]
+detectorsFor InputBoundary        = DetectedBy [Rust, JavaScript, Julia]
+detectorsFor MutationGap          = DetectedBy [Rust, Julia, Elixir]
 
 ||| Proof: every weak point category has at least one detector.
 public export