Snapshot local work before sync

Author: hyperpolymath

.github/workflows/casket-pages.yml

@@ -0,0 +1,116 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+name: GitHub Pages
+
+on:
+  push:
+    branches: [main, master]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: "pages"
+  cancel-in-progress: false
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+
+      - name: Checkout casket-ssg
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        with:
+          repository: hyperpolymath/casket-ssg
+          path: .casket-ssg
+
+      - name: Setup GHCup
+        uses: haskell-actions/setup@ec49483bfc012387b227434aba94f59a6ecd0900 # v2
+        with:
+          ghc-version: '9.8.2'
+          cabal-version: '3.10'
+
+      - name: Cache Cabal
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        with:
+          path: |
+            ~/.cabal/packages
+            ~/.cabal/store
+            .casket-ssg/dist-newstyle
+          key: ${{ runner.os }}-casket-${{ hashFiles('.casket-ssg/casket-ssg.cabal') }}
+
+      - name: Build casket-ssg
+        working-directory: .casket-ssg
+        run: cabal build
+
+      - name: Prepare site source
+        shell: bash
+        run: |
+          set -euo pipefail
+          rm -rf .site-src _site
+
+          if [ -d site ]; then
+            cp -R site .site-src
+          else
+            mkdir -p .site-src
+            TODAY="$(date +%Y-%m-%d)"
+            REPO_NAME="${{ github.event.repository.name }}"
+            REPO_URL="https://github.com/${{ github.repository }}"
+            README_URL=""
+
+            if [ -f README.md ]; then
+              README_URL="${REPO_URL}/blob/${{ github.ref_name }}/README.md"
+            elif [ -f README.adoc ]; then
+              README_URL="${REPO_URL}/blob/${{ github.ref_name }}/README.adoc"
+            fi
+
+            {
+              echo "---"
+              echo "title: ${REPO_NAME}"
+              echo "date: ${TODAY}"
+              echo "---"
+              echo
+              echo "# ${REPO_NAME}"
+              echo
+              echo "Static documentation site for ${REPO_NAME}."
+              echo
+              echo "- Source repository: [${{ github.repository }}](${REPO_URL})"
+              if [ -n "${README_URL}" ]; then
+                echo "- README: [project README](${README_URL})"
+              fi
+              if [ -d docs ]; then
+                echo "- Docs directory: [docs/](${REPO_URL}/tree/${{ github.ref_name }}/docs)"
+              fi
+              echo
+              echo "Project-specific site content can be added later under site/."
+            } > .site-src/index.md
+          fi
+
+      - name: Build site
+        run: |
+          mkdir -p _site
+          cd .casket-ssg && cabal run casket-ssg -- build ../.site-src ../_site
+          touch ../_site/.nojekyll
+
+      - name: Setup Pages
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
+
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
+        with:
+          path: '_site'
+
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4

README.adoc

@@ -141,6 +141,44 @@ It is designed to be **trustworthy**.
 
 ---
 
+== CLI & Automation
+
+`panic-attack` is a Clap-powered CLI. Each subcommand inherits a shared set of knobs so the UX is consistent whether developers run `assail`, `attack`, `assault`, `temporal`, `panll`, `groove`, or another entry point.
+
+=== Global options
+
+Globally applied flags let automation pipelines control verbosity, output format, storage location, and presentation. Current defaults are:
+
+[cols="1,1,6",options="header"]
+|===
+| Flag | Default | Description
+| `--report-view` | `Accordion` | Controls the presentation mode (`Accordion`, `Summary`, `Timeline`) that the CLI writes and that PanLL mirrors.
+| `--expand-sections` | `false` | Expands extra detail blocks in the formatted report.
+| `--output-format` | `json` | Chooses how the artifact is serialized (`json`, `markdown`, or `text`); the CLI reuses this when it writes PanLL exports or temporal diffs.
+| `--pivot` | `false` | Rotates the narrative axis for boards that expect events-first storytelling.
+| `--store` | unset | Directory where generated reports, exports, and artifacts should land.
+| `--quiet` | `false` | Suppresses informational log lines for automation.
+| `--parallel` | `false` | Enables threaded execution when commands support it (assault, image, mass-panic).
+|===
+
+Consult `man/panic-attack.1` or `panic-attack help` for every command, and use `panic-attack completions --shell <fish|zsh|bash|powershell|nushell>` to bootstrap automation-friendly helpers.
+
+=== Automation readiness
+
+`panic-attack diagnostics` validates AI manifests, VeriSimDB caches, Hypatia and gitbot-fleet watchers, and the docs PanLL expects (`docs/ambush-timeline.md`, `docs/panll-export.md`). `docs/patch-bridge-design.md` details how the patch-bridge subcommands plug into BoJ cartridges, CVE workflows, and the PanLL panel.
+
+`just test-elixir` runs the Elixir harnesses that cover the CLI surface so documentation, help text, and automation flags stay aligned.
+
+== Integration & Groove
+
+panic-attack can emit PanLL-friendly exports (event chains, system images, temporal diffs) per `docs/panll-export.md`, and it also advertises its static-analysis capability via the Gossamer groove protocol. Start the discovery endpoint with `panic-attack groove --port 7600` and check the JSON manifest by curling `http://localhost:7600/.well-known/groove` (the health endpoint sits at `/health`).
+
+The manifest follows the Idris-aligned semantics that live in `boj-server/src/interface/abi/Groove.idr` and the `gossamer` schema references. As a result, any groove-aware consumer—PanLL event-chain panels, the Burble voice platform, Hypatia, or other automation fabrics—sees the same capability vocabulary and can attach its own UI (Groove + Burble PanLL) confidently.
+
+VeriSimDB remains the foundation dependency for these exports, so every snapshot recorded for PanLL, Gossamer, or Burble can be replayed, inspected, and audited even after the CLI process exits.
+
+---
+
 == Status
 
 Current state: **v2.1.0**

docs/panll-export.md

@@ -59,3 +59,28 @@ Notes:
 
 Future versions can enrich this export with constraints, event dependencies,
 and a full PanLL graph import/export pipeline.
+
+## Groove discovery
+
+panic-attack also advertises its export capability through the Gossamer groove
+protocol so PanLL and other groove-aware systems can discover it automatically.
+Run `panic-attack groove --port 7600` and curl
+`http://localhost:7600/.well-known/groove` to verify the manifest. The minimal
+HTTP server answers `/health` for automated monitoring, and gossamer/panll
+consumers can read the `static_analysis` capability description to confirm the
+service identity.
+
+The JSON manifest mirrors the Idris-aligned semantics under
+`boj-server/src/interface/abi/Groove.idr` and the shared `gossamer/schema`
+definitions, so every consumer (Gossamer, PanLL, Hypatia, or Burble) sees the
+same capability vocabulary and can negotiate the link with confidence.
+
+## Gossamer + Burble PanLL
+
+When Gossamer (or a Burble-powered PanLL UI) discovers panic-attack via groove,
+PanLL panels can auto-bind the static analysis service into PanLL’s event-chain
+flows. Those panels load the exported `panll.event-chain.v0` artifacts documented
+here, referencing the same VeriSimDB snapshot that supplies every proof and
+benchmark baseline. VeriSimDB acts as the foundation dependency so the historical
+timeline that PanLL renders stays aligned with the grooved manifest even after
+panic-attack exits.

docs/reports/audit/2026-03-30-panic-attack-audit.adoc

@@ -0,0 +1,77 @@
+// SPDX-License-Identifier: PMPL-1.0-or-later
+= panic-attack Audit 2026-03-30
+:revdate: 2026-03-30
+
+== Summary
+
+Status: `fail` (implementation strong, publication blocked)
+
+panic-attack is a mature security analysis suite: the README lists 196 passing
+tests, 47 supported languages, and multiple CLI modes. That makes it one of the
+headline wish-list tools for the estate, but the release gate still requires
+proof closure, green builds, and traceable invariants before any v1/stable
+claims get restored.
+
+== Evidence log
+
+* README claims: multi-language static analysis (47 langs), 20 weakness
+  categories, attack simulation, system imaging, attestation, plus the
+  event-chain export described in `panll-event-chain.json`.
+* `PROOF-NEEDS.md` records the current proof debt: analyzer soundness/completeness,
+  SARIF correctness, CVE classification accuracy, reachability/taint invariants,
+  attestation chain integrity, and lockfile parsing. Idris2 types exist only in
+  `src/abi/Types.idr` and are minimal; large portions of the logic remain
+  informal and would benefit from an Agda/Idris session.
+* `just test` runs `cargo test` but the build stops at `src/attestation/intent.rs:59`
+  because `getrandom::getrandom` cannot be found in the version of the `getrandom`
+  crate currently pulled in. The nightly compile log ends with `rustc` error
+  E0425 (`cannot find function getrandom in crate getrandom`), so every test
+  target fails before exercising anything beyond the first module.
+* `PROOF-NEEDS` also records 282 `unwrap()` calls scattered across the analyzer
+  (already noted in the README as “dangerous patterns: 0 in our code but there
+  are many `unwrap()`s because panic-attack hunts for them).
+
+== Confirmed blockers
+
+* `just test` fails immediately because `src/attestation/intent.rs` calls
+  `getrandom::getrandom` but Rust cannot resolve that symbol in the dependency
+  graph; until the crate dependency or feature set is corrected, there is no
+  build/test evidence.
+* The proof debt is wide open: the analyzer’s detection/completeness invariants,
+  the SARIF/attestation outputs, the miniKanren taint engine, and the bridge
+  classification logic all have entries in `PROOF-NEEDS.md` and lack machine-checked
+  scripts.
+* Template metadata such as `panic-attacker.toml.example`, `contractiles`
+  scaffolding, and `docs/` narratives still expose TODOs about future
+  system-level features, so the release gate sees residual preflight noise.
+
+== Containment actions taken
+
+* The README/ROADMAP/VISION files already insist the tool is for analysis and
+  visibility, not for quiet operation; the gate now treats panic-attack as a
+  research-grade scanner until the proofs and build-green status is restored.
+* `reports/` capture the latest assemblyline/adjudicate runs, so reviewers can
+  see the operational output even though the upstream proofs remain untracked.
+* The `PROOF-NEEDS` document surfaced the high-priority invariants, so the next
+  proof sessions have a defined backlog.
+
+== Immediate next actions
+
+* Fix the `getrandom` linkage: verify the `getrandom` dependency exposes `getrandom`
+  or replace the call with a supported API (e.g., `rand::random`, `secrecy`
+  wrappers, or a custom randomizer) so `cargo test`/`just test` can finish.
+* Schedule Claude-level proof sessions to mechanize analyzer soundness,
+  taint propagation, SARIF validity, reachability accuracy, and the attestation
+  chain described in `docs/assemblyline` outputs. Each theorem should produce a
+  machine-checked Idris2/Agda file with zero `believe_me`.
+* Clean up the remaining template placeholders in the `contractiles`/`docs`
+  directories so the release preflight does not flag `TODO` noise as proof debt.
+* Document the `self-*` reports (`self-a2ml.a2ml`, `self-roundtrip.json`) so
+  reviewers can reproduce the scans and verify the attestation/assemblyline
+  pipelines.
+
+== Invitation for review
+
+If you disagree with these blockers or can help close one, annotate this file
+or open an issue. We intentionally accept challenge; the goal is to make every
+release claim fact-based before we call it stable or publishable.

man/panic-attack.1

@@ -60,6 +60,12 @@ Encodes a report artifact as a schema-versioned A2ML report bundle (supports ass
 .B a2ml-import INPUT --output OUT [--kind KIND]
 Decodes an A2ML report bundle back into JSON (optionally assert expected kind).
 .TP
+.B completions --shell SHELL
+Generates shell tab-completion helpers for the CLI (fish, zsh, bash, powershell, and nushell). Use this before wiring automation so every flag and subcommand can be discovered programmatically.
+.TP
+.B groove [--port PORT]
+Starts a minimal HTTP groove discovery endpoint (default port 7600). The server answers `/.well-known/groove` with the manifest defined in `src/groove.rs` and `/health` for service monitors; Gossamer, PanLL, Hypatia, or Burble-aware clients can curl the manifest to see the `static_analysis` capability and fetch the exports documented in `docs/panll-export.md`.
+.TP
 .B panll REPORT [--out OUT]
 Converts an assault report into a PanLL event-chain JSON for Pane-W import.
 .TP