feat(mass-panic): Chapel HPC mass-panic module + fNIRS paper draft + results

- Chapel MassPanic/Protocol/Temporal upgrades for high-throughput panic analysis
- Rust main.rs integration updates
- New fNIRS paper draft (460 lines, complete with references)
- 8 benchmark result JSON files from assemblyline + system-image runs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

ROADMAP.adoc

@@ -43,7 +43,7 @@ binary, panicbot (gitbot-fleet CI integration), and mass-panic (org-scale batch
 * [x] Filesystem persistence for scan results
 * [x] VeriSimDB HTTP API integration: push octads via REST (ureq v3; VERISIMDB_URL env var; http feature; filesystem fallback)
 * [x] Per-project VeriSimDB instance: `deploy/panic-attack/fly.toml` for `verisim-panic-api` (6PN internal, lhr)
-* [ ] Delta reporting: only report changes since last scan
+* [x] Delta reporting: `diff` subcommand reports changes since last scan (`src/report/diff.rs`)
 * [ ] Hexad persistence for Patch Bridge mitigation registry (currently JSON file)
 * [ ] Historical trend queries via VCL
 
@@ -53,8 +53,8 @@ binary, panicbot (gitbot-fleet CI integration), and mass-panic (org-scale batch
 * [x] JSON output for pipeline integration
 * [x] A2ML manifest protocol support
 * [x] i18n support (10 languages, ISO 639-1)
-* [ ] Shell completions: bash, zsh, fish, nushell
-* [ ] Interactive TUI mode for reviewing findings
+* [x] Shell completions: bash, zsh, fish, nushell, powershell (`completions/` directory)
+* [x] Interactive TUI mode for reviewing findings (`tui` subcommand)
 * [ ] Improved error messages with fix suggestions
 
 == v2.4.0 -- Patch Bridge Phase 2
@@ -134,9 +134,13 @@ Identified as an estate-wide gap in the 2026-04-05 KRL-stack CRG blitz audit.
 * [x] Assemblyline batch scanning with rayon parallelism
 * [x] BLAKE3 fingerprinting for incremental scanning
 * [x] Notification pipeline (markdown summaries, GitHub issues)
-* [ ] Chapel metalayer: distributed `coforall` scanning across compute clusters
-* [ ] Multi-machine orchestration for org-scale scanning
-* [ ] Scan result aggregation across distributed nodes
+* [x] Chapel metalayer: `mass-panic` orchestrator with fNIRS-inspired SystemImage, temporal snapshots, VeriSimDB hexad persistence (`chapel/src/`)
+* [x] `fingerprint` subcommand: BLAKE3 directory hashing for incremental skip
+* [x] Temporal diff subcommand: `--subcommand=diff` with global health/risk/weak-point deltas
+* [x] Single-locale scan validated against 303-repo estate (2026-04-12)
+* [ ] Per-node temporal diff: load full SystemImage JSON for per-repo health breakdown
+* [ ] Multi-machine orchestration: gasnet/ofi multi-locale Chapel run across cluster nodes
+* [ ] VeriSimDB HTTP push from Chapel metalayer (currently file-only)
 
 == v3.1.0 -- Ecosystem Integration
 

chapel/src/MassPanic.chpl

@@ -146,16 +146,14 @@ module MassPanic {
         var results = allResults[0..#actualCount];
         sort(results, comparator=new ResultComparator());
 
-        // Filter to only repos with findings if --findingsOnly
-        var filteredResults = results;
-        if findingsOnly {
-            var kept: list(RepoResult);
-            for r in results {
-                if r.weakPointCount > 0 || r.error != "" then
-                    kept.pushBack(r);
-            }
-            filteredResults = kept.toArray();
+        // Filter to only repos with findings if --findingsOnly.
+        // Always build via list to avoid Chapel array-shape mismatch on assignment.
+        var filteredList: list(RepoResult);
+        for r in results {
+            if !findingsOnly || r.weakPointCount > 0 || r.error != "" then
+                filteredList.pushBack(r);
         }
+        var filteredResults = filteredList.toArray();
 
         // Build system image
         var image = buildSystemImage(filteredResults, repos.size);
@@ -242,9 +240,8 @@ module MassPanic {
             return;
         }
 
-        // Build minimal SystemImage objects from snapshot summaries —
-        // global metrics are accurate; per-node breakdown is not available
-        // without loading the full image JSON.
+        // Build SystemImage objects. Start with summary metrics (always available),
+        // then load per-node data from saved image files when paths are present.
         var olderImg: SystemImage;
         olderImg.generatedAt    = fromSnap.timestamp;
         olderImg.globalHealth   = fromSnap.globalHealth;
@@ -263,6 +260,28 @@ module MassPanic {
         newerImg.reposScanned   = toSnap.reposScanned;
         newerImg.nodeCount      = toSnap.nodeCount;
 
+        // Load per-node data if image files are available (written by takeSnapshot).
+        // Older snapshots written before this feature won't have imagePath set — the
+        // diff will still work with summary-only data, just no per-node breakdown.
+        if fromSnap.imagePath != "" {
+            const olderNodes = loadImageNodes(fromSnap.imagePath);
+            if olderNodes.size > 0 {
+                olderImg.nodes = olderNodes;
+                if !quiet then
+                    writeln("mass-panic diff: loaded ", olderNodes.size,
+                            " nodes from ", fromSnap.id);
+            }
+        }
+        if toSnap.imagePath != "" {
+            const newerNodes = loadImageNodes(toSnap.imagePath);
+            if newerNodes.size > 0 {
+                newerImg.nodes = newerNodes;
+                if !quiet then
+                    writeln("mass-panic diff: loaded ", newerNodes.size,
+                            " nodes from ", toSnap.id);
+            }
+        }
+
         const diff = diffSnapshots(olderImg, newerImg, fromSnap.tag, toSnap.tag);
 
         // Output
@@ -301,10 +320,28 @@ module MassPanic {
             writeln("New repos:   +", diff.newNodes.size);
         if diff.removedNodes.size > 0 then
             writeln("Gone repos:  -", diff.removedNodes.size);
-        if diff.improvedNodes.size > 0 then
+
+        // Per-node breakdown (only populated when full image files are available)
+        if diff.improvedNodes.size > 0 {
             writeln("Improved:    ", diff.improvedNodes.size, " repos");
-        if diff.degradedNodes.size > 0 then
+            for delta in diff.improvedNodes {
+                writeln("  ▲ ", delta.name,
+                        "  health ", formatDelta(delta.healthAfter - delta.healthBefore),
+                        "  wp ", formatDeltaInt(delta.weakPointsAfter - delta.weakPointsBefore));
+            }
+        }
+        if diff.degradedNodes.size > 0 {
             writeln("Degraded:    ", diff.degradedNodes.size, " repos");
+            for delta in diff.degradedNodes {
+                writeln("  ▼ ", delta.name,
+                        "  health ", formatDelta(delta.healthAfter - delta.healthBefore),
+                        "  wp ", formatDeltaInt(delta.weakPointsAfter - delta.weakPointsBefore));
+            }
+        }
+        if diff.improvedNodes.size == 0 && diff.degradedNodes.size == 0 &&
+           diff.unchangedCount == 0 {
+            writeln("(run two scans to enable per-repo breakdown)");
+        }
         writeln();
     }
 
@@ -323,7 +360,31 @@ module MassPanic {
         writer.writeln("  \"removed_repos\": ", diff.removedNodes.size, ",");
         writer.writeln("  \"improved_repos\": ", diff.improvedNodes.size, ",");
         writer.writeln("  \"degraded_repos\": ", diff.degradedNodes.size, ",");
-        writer.writeln("  \"unchanged_repos\": ", diff.unchangedCount);
+        writer.writeln("  \"unchanged_repos\": ", diff.unchangedCount, ",");
+
+        // Per-node deltas — empty arrays when image files were not available
+        writer.writeln("  \"improved\": [");
+        for (delta, idx) in zip(diff.improvedNodes, 0..) {
+            if idx > 0 then writer.write(", ");
+            writer.write("{\"id\": \"", delta.nodeId, "\", \"name\": \"", delta.name, "\", ");
+            writer.write("\"health_before\": ", delta.healthBefore, ", ");
+            writer.write("\"health_after\": ", delta.healthAfter, ", ");
+            writer.write("\"wp_before\": ", delta.weakPointsBefore, ", ");
+            writer.write("\"wp_after\": ", delta.weakPointsAfter, "}");
+        }
+        writer.writeln("\n  ],");
+
+        writer.writeln("  \"degraded\": [");
+        for (delta, idx) in zip(diff.degradedNodes, 0..) {
+            if idx > 0 then writer.write(", ");
+            writer.write("{\"id\": \"", delta.nodeId, "\", \"name\": \"", delta.name, "\", ");
+            writer.write("\"health_before\": ", delta.healthBefore, ", ");
+            writer.write("\"health_after\": ", delta.healthAfter, ", ");
+            writer.write("\"wp_before\": ", delta.weakPointsBefore, ", ");
+            writer.write("\"wp_after\": ", delta.weakPointsAfter, "}");
+        }
+        writer.writeln("\n  ]");
+
         writer.writeln("}");
     }
 
@@ -489,12 +550,14 @@ module MassPanic {
 
         select mode {
             when "assail" {
+                // --quiet causes assail to emit JSON on stdout (no --output needed)
+                args.pushBack("--quiet");
                 args.pushBack("assail");
                 args.pushBack(repoPath);
-                args.pushBack("--output-format=json");
             }
             when "assault" {
                 // Full stress test: assail + attack all axes
+                args.pushBack("--quiet");
                 args.pushBack("assault");
                 args.pushBack(repoPath);
                 args.pushBack("--output-format=json");
@@ -507,6 +570,7 @@ module MassPanic {
             }
             when "ambush" {
                 // Timeline-driven stress test
+                args.pushBack("--quiet");
                 args.pushBack("ambush");
                 args.pushBack(repoPath);
                 args.pushBack("--output-format=json");

chapel/src/Protocol.chpl

@@ -97,18 +97,38 @@ module Protocol {
         result.repoPath = repoPath;
         result.repoName = basename(repoPath);
 
-        // Extract key fields from JSON using simple string matching.
-        // This avoids a full JSON parser dependency — panic-attack's output
-        // format is stable and well-defined by the panicbot JSON contract.
-        result.weakPointCount = extractInt(jsonStr, "\"weak_points\":");
+        // The assail JSON format is:
+        //   "weak_points": [ {"category": "...", "severity": "High", ...}, ... ]
+        //   "statistics":  { "total_lines": N, "unsafe_blocks": N, ... }
+        //
+        // Count weak points by counting "category": occurrences (one per weak point).
+        // Count severity grades by scanning for "severity": "Critical" etc. (note space after colon).
+        // total_lines lives under statistics but extractInt finds the first occurrence anywhere.
+        // total_files is not in the output — approximated from file_statistics array length.
+        result.weakPointCount = countOccurrences(jsonStr, "\"category\":");
         result.criticalCount = countSeverity(jsonStr, "Critical");
         result.highCount = countSeverity(jsonStr, "High");
-        result.totalFiles = extractInt(jsonStr, "\"total_files\":");
+        result.totalFiles = countOccurrences(jsonStr, "\"file_path\":");
         result.totalLines = extractInt(jsonStr, "\"total_lines\":");
 
         return result;
     }
 
+    // Count non-overlapping occurrences of a search string in json.
+    proc countOccurrences(json: string, searchStr: string): int {
+        var count = 0;
+        var remaining = json;
+        while remaining.size > 0 {
+            const idx = remaining.find(searchStr);
+            if idx == -1 then break;
+            count += 1;
+            var rest: string;
+            try { rest = remaining[idx..]; } catch { break; }
+            try { remaining = rest[searchStr.size..]; } catch { break; }
+        }
+        return count;
+    }
+
     proc extractInt(json: string, key: string): int {
         const idx = json.find(key);
         if idx == -1 then return 0;
@@ -131,16 +151,22 @@ module Protocol {
         return 0;
     }
 
+    // Count severity occurrences. The assail JSON emits `"severity": "High"` with
+    // a space after the colon, so we match both spaced and compact forms.
     proc countSeverity(json: string, severity: string): int {
-        // Slice-and-search: advance through the string by taking suffixes.
-        const searchStr = "\"severity\":\"" + severity + "\"";
         var count = 0;
-        var remaining = json;
-        while remaining.size > 0 {
-            const idx = remaining.find(searchStr);
-            if idx == -1 then break;
-            count += 1;
-            remaining = try! (try! remaining[idx..])[searchStr.size..];
+        // Try both "severity": "X" (spaced) and "severity":"X" (compact)
+        for searchStr in ["\"severity\": \"" + severity + "\"",
+                          "\"severity\":\"" + severity + "\""] {
+            var remaining = json;
+            while remaining.size > 0 {
+                const idx = remaining.find(searchStr);
+                if idx == -1 then break;
+                count += 1;
+                var rest: string;
+                try { rest = remaining[idx..]; } catch { break; }
+                try { remaining = rest[searchStr.size..]; } catch { break; }
+            }
         }
         return count;
     }

chapel/src/Temporal.chpl

@@ -275,6 +275,7 @@ module Temporal {
                 snap.totalCritical   = extractInt(obj, "\"critical\":");
                 snap.reposScanned    = extractInt(obj, "\"repos\":");
                 snap.nodeCount       = extractInt(obj, "\"nodes\":");
+                snap.imagePath       = extractQuotedString(obj, "\"image_path\":");
 
                 if snap.id != "" then results.pushBack(snap);
             }
@@ -283,6 +284,69 @@ module Temporal {
         return results;
     }
 
+    // ---------------------------------------------------------------------------
+    // Full image node loading — enables per-node diff
+    // ---------------------------------------------------------------------------
+
+    // Load the node list from a saved SystemImage JSON file.
+    // The image JSON contains a "nodes" array where each entry is a single-line
+    // JSON object as written by writeNodeJson in Imaging.chpl.
+    // Returns an empty list if the file is missing, unreadable, or has no nodes.
+    proc loadImageNodes(imagePath: string): list(ImageNode) {
+        var nodes: list(ImageNode);
+        if imagePath == "" || !safeIsFile(imagePath) then return nodes;
+
+        var inNodes = false;
+        try {
+            var f = open(imagePath, ioMode.r);
+            var reader = f.reader(locking=false);
+            var line: string;
+            while reader.readLine(line, stripNewline=true) {
+                const trimmed = line.strip();
+
+                if trimmed.startsWith("\"nodes\"") {
+                    inNodes = true;
+                    continue;
+                }
+                // The edges array follows nodes — stop when we hit it
+                if inNodes && trimmed.startsWith("\"edges\"") {
+                    break;
+                }
+                if inNodes && trimmed.startsWith("]") {
+                    inNodes = false;
+                    continue;
+                }
+
+                if !inNodes then continue;
+                if trimmed == "" || trimmed == "[" then continue;
+
+                // Strip trailing comma if present
+                var obj = if trimmed.endsWith(",") then trimmed[..trimmed.size - 2] else trimmed;
+                if !obj.startsWith("{") then continue;
+
+                var node: ImageNode;
+                node.id             = extractQuotedString(obj, "\"id\":");
+                node.name           = extractQuotedString(obj, "\"name\":");
+                node.level          = extractQuotedString(obj, "\"level\":");
+                node.healthScore    = extractReal(obj, "\"health_score\":");
+                node.riskIntensity  = extractReal(obj, "\"risk_intensity\":");
+                node.weakPointDensity = extractReal(obj, "\"weak_point_density\":");
+                node.weakPointCount = extractInt(obj, "\"weak_point_count\":");
+                node.criticalCount  = extractInt(obj, "\"critical_count\":");
+                node.totalFiles     = extractInt(obj, "\"total_files\":");
+                node.totalLines     = extractInt(obj, "\"total_lines\":");
+                node.fingerprint    = extractQuotedString(obj, "\"fingerprint\":");
+                // skipped is an unquoted boolean: scan for "skipped": true
+                node.skipped = obj.find("\"skipped\": true") != -1 ||
+                               obj.find("\"skipped\":true") != -1;
+
+                if node.id != "" then nodes.pushBack(node);
+            }
+        } catch { }
+
+        return nodes;
+    }
+
     // Extract a real (floating-point) value following a JSON key.
     proc extractReal(json: string, key: string): real {
         const idx = json.find(key);
@@ -376,7 +440,7 @@ module Temporal {
                 w.writeln(existingEntries, ",");
             }
 
-            // New snapshot entry
+            // New snapshot entry — image_path enables per-node diff on reload
             w.write("    {");
             w.write("\"id\": \"", newSnap.id, "\", ");
             w.write("\"timestamp\": \"", newSnap.timestamp, "\", ");
@@ -387,7 +451,8 @@ module Temporal {
             w.write("\"weak_points\": ", newSnap.totalWeakPoints, ", ");
             w.write("\"critical\": ", newSnap.totalCritical, ", ");
             w.write("\"repos\": ", newSnap.reposScanned, ", ");
-            w.write("\"nodes\": ", newSnap.nodeCount);
+            w.write("\"nodes\": ", newSnap.nodeCount, ", ");
+            w.write("\"image_path\": \"", newSnap.imagePath, "\"");
             w.writeln("}");
 
             w.writeln("  ]");