docs(closeout): v2.5.5 cohort + v3.0.0 verisim-push + PROOF-PROGRAMME comprehensive close-out (#112)

## Summary

Comprehensive documentation refresh for the 8-PR cohort that landed
earlier today (#102 #104 #105 #106 #107 #108 #110 #111). Plus a
silently-broken CI fix: `tests/` WeakPoint construction sites had not
been updated with the new `test_context` field.

## Files updated

| File | What changes |
|---|---|
| `README.adoc` | Tests badge 782 → **897 passing**; status block
extended with v2.5.5 cohort summary + PROOF-PROGRAMME link |
| `EXPLAINME.adoc` | File-layout table extended with the four new
`src/*.rs` modules + `apply_v255_context_suppression`; PA-code count
clarified (25 canonical / 26 enum with PA001b subvariant); `src/abi/`
proof modules listed |
| `CHANGELOG.md` | New `Added (2026-06-02 PM)` section above the Changed
entry, documenting all eight PRs with per-PR scope |
| `ROADMAP.adoc` | v2.5.5 section: all four subsections flipped per
actual PR coverage (8x `[x]`, 5x `[~]`, 3x `[ ]`); each flipped item
documents the delivering PR |
| `.machine_readable/6a2/STATE.a2ml` | Metadata bumped to 2026-06-02;
new `[session-2026-06-02-pm]` section (11 detail keys);
`[next-priorities]` refreshed |
| `0-AI-MANIFEST.a2ml` | `canonical-locations` extended with PROOF-NEEDS
/ PROOF-PROGRAMME / TEST-NEEDS; new `v255-modules` + `proof-modules`
sections |
| `tests/{panll,property,report,sarif,seam_contract}_tests.rs` |
`test_context: None` added to `WeakPoint` constructions missed by #102
sed pass (only `src/` was covered); CI was silently broken on main
before this |

## Verification

- `cargo build --release`: clean
- `cargo test --release`: **897 passing / 0 failed / 4 ignored** across
lib + 10 integration test binaries
- `cargo test -- --list` count: **901 runnable**

## Note

This PR's last bullet — the `tests/` fix — is a **real CI repair**.
Without it `cargo test --release --no-run` fails on main with `E0063:
missing field test_context`. The original #102 sed pass only covered
`src/` constructions; the integration tests in `tests/` were missed. The
6 sed-added lines per affected file are mechanical.

## Refs

- ROADMAP.adoc v2.5.5
- PROOF-PROGRAMME.md (added by #104)
- PRs #102 #104 #105 #106 #107 #108 #110 #111 — the v2.5.5/v3.0.0/PROOF
cohort being documented

Author: hyperpolymath

.machine_readable/6a2/STATE.a2ml

@@ -5,7 +5,7 @@
 [metadata]
 project = "panic-attack"
 version = "2.5.0"
-last-updated = "2026-06-01"
+last-updated = "2026-06-02"
 status = "active"
 
 [project-context]
@@ -74,8 +74,27 @@ estate-sweep-spawned = "a2ml-validate-action SHA bump fanout across 215 estate r
 commits = "b323f6f (baseline-red fixes), 5e02b82 (a2ml relocation), 11e54a9 (action SHA bump on #94)"
 blocker = "none"
 
+[session-2026-06-02-pm]
+description = "v2.5.5 context-awareness cohort + v3.0.0 Chapel→VeriSimDB HTTP push + PROOF-PROGRAMME"
+prs-merged = "#102 (test_context foundation), #104 (PROOF-PROGRAMME 3-layer), #105 (comment_marker inline suppression), #106 (ffi_kind subtyping), #107 (jit_context classifier), #108 (Chapel verisim-push), #110 (Phase 2 analyzer wire-up), #111 (Layer 1.0 strip-idempotence partial)"
+v255-test-context = "Cross-language test-path classification (Rust/Python/Go/JS-TS/Julia/Zig/Elixir/docs); WeakPoint.test_context: Option<TestContext> field through 137 sites; content-promotion via ExUnit/unittest/pytest/@testset markers"
+v255-comment-marker = "// panic-attack: accepted [- reason] inline marker; mid-line // for C-family, start-of-line for # / -- / ; / % / /// / //!; string-literal aware; shebang excluded; same-or-preceding-line scope"
+v255-ffi-kind = "PA013 subtyped: BuildSystem (build.zig/build.rs audit-accepted) / RuntimeAbi (bindings/ ffi/ sys/ cdef.zig audit-significant) / TestMock (tests/mocks tests/stubs audit-accepted) / Unknown; is_audited_boundary() parses audits/audit-ffi-unsafe.md sections"
+v255-jit-context = "Cranelift / Llvm / Wasm / Javascript / None classifier; classify_rust(content) heuristic; transmute_targets_fn_ptr tolerant of unsafe { ... } wrappers"
+v255-phase-2-wire-up = "apply_v255_context_suppression() runs after kanren rules: marker-flip suppressed=true, PanicPath-in-TestOnly/Doc auto-suppress, UnsafeFFI-in-BuildSystem/TestMock auto-suppress; per-file content cache"
+v300-chapel-verisim-push = "panic-attack verisim-push <hexad> --url --retry --fallback-dir subcommand under http Cargo feature; Chapel takeSnapshot 6-arg overload spawns subprocess after local hexad write; local-writes-authoritative + push-additive semantics"
+proof-programme = "PROOF-PROGRAMME.md (3-layer Surface/Engine/Persistence, 9-phase ~16-week sequence); src/abi/Stripping.idr (Layer 1.0 partial: IsStrippedBody shape lemma + stripBodyProducesStrippedShape + base cases of stripLineCommentsIdempotent Qed-closed; open: slash-slash inductive closure)"
+proven-cross-fit = "SafePath + SafeUrl identified as port-to-Rust candidates (perf-neutral, semantic-equivalent); SafeJson / SafeRegex / SafeDateTime / SafeCommand / SafeEnv / SafeUUID marked skip (already total / semantic mismatch); 7 gaps for first-principles proofs (miniKanren engine, hexad model, A2ML chain, bridge reachability, sweep tracker, adjudicate/axial, FFI ABI)"
+test-count = "897 passing (cargo test --release; 4 ignored; 901 runnable per --list)"
+truthfulness-fix = "tests/ WeakPoint constructions sed-updated for test_context field (was silently broken on main post-#102)"
+blocker = "none"
+
 [next-priorities]
 hexad-patch-bridge = "Migrate Patch Bridge mitigation registry from JSON to hexad persistence (ROADMAP v2.2.0 / v2.4.0)"
 multi-lockfile = "Extend Patch Bridge beyond Cargo.lock to package-lock.json, mix.lock, etc. (ROADMAP v2.4.0)"
 trend-queries-vcl = "Historical trend queries via VCL (ROADMAP v2.2.0)"
-chapel-wave-2 = "Real multi-locale cluster validation on non-trivial corpus (issue #87 — owner-gated on toolchain choice)"
+chapel-wave-3 = "Cross-node gasnet/ofi over real NIC — needs cluster runner (issue #87 Wave 3)"
+layer-1-0-closure = "stripIsIdentityOnStrippedBody — closes slash-slash inductive case of stripLineCommentsIdempotent (PROOF-PROGRAMME row 1 follow-up)"
+layer-1-0-block-strings = "Stripping_Block.idr + Stripping_Strings.idr + Stripping_Composition.idr + Stripping_PositionPreservation.idr (PROOF-PROGRAMME row 1 remaining)"
+hypatia-rule-wiring = "Hypatia ingestion of test_context / ffi_kind / jit_context metadata; ContextSuppressed bucket distinct from RuleSuppressed"
+gitbot-panicbot-wiring = "gitbot-fleet panicbot translator: surface test_context + suppression-reason in fleet-side reports"

0-AI-MANIFEST.a2ml

@@ -20,10 +20,29 @@
       (roadmap "ROADMAP.adoc")
       (design "DESIGN.md")
       (vision "VISION.md")
-      (explainme "EXPLAINME.adoc"))
+      (explainme "EXPLAINME.adoc")
+      (proof-needs "PROOF-NEEDS.md")
+      (proof-programme "PROOF-PROGRAMME.md")
+      (test-needs "TEST-NEEDS.md"))
     (source "src/")
     (tests "tests/")
-    (examples "examples/"))
+    (examples "examples/")
+    (v255-modules
+      (test-context "src/test_context.rs"
+        "Cross-language test-path classification (Rust / Python / Go / JS-TS / Julia / Zig / Elixir / docs-examples)")
+      (comment-marker "src/comment_marker.rs"
+        "Inline // panic-attack: accepted [- reason] suppression marker (cross-language comment leaders)")
+      (ffi-kind "src/ffi_kind.rs"
+        "UnsafeFFI (PA013) subtyping: BuildSystem / RuntimeAbi / TestMock / Unknown")
+      (jit-context "src/jit_context.rs"
+        "JIT-framework classifier: Cranelift / Llvm / Wasm / Javascript / None"))
+    (proof-modules
+      (pa1 "src/abi/PatternCompleteness.idr"
+        "Pattern detection completeness — every Lang / WPCategory has a detector")
+      (pa2 "src/abi/ClassificationSoundness.idr"
+        "Classification soundness — Severity total order + maxSeverity commutativity")
+      (layer-1-0 "src/abi/Stripping.idr"
+        "PROOF-PROGRAMME Layer 1.0 partial — line-comment-strip foundation lemmas")))
 
   (critical-invariants
     (rule "SCM files MUST be in .machine_readable/ directory ONLY"

CHANGELOG.md

@@ -2,6 +2,28 @@
 
 ## [Unreleased]
 
+### Added (2026-06-02 PM) — v2.5.5 context-awareness cohort + v3.0.0 Chapel→VeriSimDB push + PROOF-PROGRAMME
+
+Eight PRs landed in one cohort closing the v2.5.5 ROADMAP section, a v3.0.0 item, and opening the first proof slice of the new PROOF-PROGRAMME.
+
+**v2.5.5 — Attack Surface Widening (false-positive reduction)**
+
+- **`test_context` foundation** (#102): new `src/test_context.rs` module with cross-language test-path classification (Rust / Python / Go / JavaScript / Julia / Zig / Elixir / docs-examples). New `WeakPoint.test_context: Option<TestContext>` field (Production / TestOnly / Doc) plumbed through 137 construction sites. Content-based promotion via `use ExUnit.Case` / `unittest.TestCase` / `pytest.fixture` / `@testset` markers.
+- **`comment_marker` inline suppression** (#105): new `src/comment_marker.rs` module recognising `// panic-attack: accepted [- reason]` on the same or preceding line. Cross-language comment leaders: `//` mid-line for C-family; `#` / `--` / `;` / `%` / `///` / `//!` start-of-line for Python/Haskell/Lisp/Erlang/Rust-doc/Rust-inner-doc. String-literal aware. Shebang `#!` excluded.
+- **`ffi_kind` subtyping** (#106): new `src/ffi_kind.rs` module subtyping `WeakPointCategory::UnsafeFFI` (PA013) into BuildSystem / RuntimeAbi / TestMock / Unknown. `classify_by_path` distinguishes `build.zig` / `build.rs` (BuildSystem, audit-accepted by default) from `bindings/` / `ffi/` / `sys/` / `cdef.zig` (RuntimeAbi, audit-significant) from `tests/mocks/` / `tests/stubs/` (TestMock, also audit-accepted). New `is_audited_boundary(audit_text, file_path)` parses `audits/audit-ffi-unsafe.md` `## Approved boundaries` markdown.
+- **`jit_context` classifier** (#107): new `src/jit_context.rs` module classifying JIT frameworks — Cranelift / Llvm / Wasm / Javascript / None. Factors existing inline Cranelift detection at `analyzer.rs:1117..1129` into reusable surface. `transmute_targets_fn_ptr` made tolerant of `= unsafe { ... transmute(..) }` wrappers.
+- **Phase 2 analyzer wire-up** (#110): new `apply_v255_context_suppression(&mut report)` runs after the kanren-based rule pass and (a) marker-flips `WeakPoint.suppressed = true` when `panic-attack: accepted` is on or above the line, (b) auto-suppresses `PanicPath` in TestOnly/Doc context, (c) auto-suppresses `UnsafeFFI` in BuildSystem/TestMock context. Sets `test_context` metadata on every finding with a known file path.
+
+**v3.0.0 — Distributed Scanning (HTTP push from Chapel)**
+
+- **`panic-attack verisim-push <hexad>` subcommand** (#108): new `Commands::VerisimPush` gated on the `http` Cargo feature. Reads a JSON hexad (typically what Chapel `takeSnapshot` just wrote), POSTs to `$VERISIMDB_URL` (default `http://localhost:8080`) via the existing `storage::push_hexad_http_with_retry`. `--fallback-dir` writes a JSON copy on HTTP failure for offline replay.
+- **Chapel `takeSnapshot` overload** (#108): new 6-arg form accepting `verisimPushUrl` + `panicAttackBin` parameters. Spawns `panic-attack verisim-push --url <url> --retry <hexad>` after local hexad write. Local writes remain authoritative; push is additive. Closes the `[ ]` ROADMAP item.
+
+**PROOF-PROGRAMME — first-principles soundness**
+
+- **`PROOF-PROGRAMME.md`** (#104): 3-layer landscape (Surface / Engine / Persistence) covering all 25 PA-code soundness proofs + miniKanren correctness + bridge reachability + attestation chain unforgeability. 9-phase sequencing (~16 weeks). Identifies `proven` cross-fit candidates: only `SafePath` + `SafeUrl` qualify as port-to-Rust (perf-neutral, semantic-equivalent); `SafeJson` / `SafeRegex` / `SafeDateTime` / `SafeCommand` / `SafeEnv` / `SafeUUID` marked skip (already total / semantic mismatch).
+- **Layer 1.0 partial** (#111): new `src/abi/Stripping.idr` Qed-closing the foundation lemmas for line-comment stripping — `stripBodyProducesStrippedShape` (every body output satisfies `IsStrippedBody`) + base cases of `stripLineCommentsIdempotent` (empty + non-slash-headed input). Open: the slash-slash inductive closure `stripIsIdentityOnStrippedBody` (recorded as the next Layer-1.0 slice in `PROOF-NEEDS.md`).
+
 ### Changed (2026-06-02) — truthfulness audit (humans + machines)
 - **README badge + Status block** corrected: 402 → **782 runnable tests**
   (per `cargo test --release -- --list`; the underlying 539 `#[test]`

EXPLAINME.adoc

@@ -43,9 +43,17 @@ The README makes claims. This file backs them up.
 
 | `src/main.rs` | CLI entry: 20 subcommands (assail, assault, temporal, panll, groove, bridge, etc.)
 | `src/lib.rs` | Library API exposing all analysis engines
-| `src/assail/` | Static analysis (49 languages, 25 weak-point categories)
+| `src/assail/` | Static analysis (49 languages, 25 canonical PA-codes / 26 enum variants; `PA001` ⇒ `UncheckedAllocation` + `PA001b` ⇒ `UnboundedAllocation` SARIF subvariants)
 | `src/assail/analyzer.rs` | Per-file language detection and pattern matching dispatcher
 | `src/assail/patterns.rs` | Language-specific regex patterns for weak points
+| `src/assail/mod.rs` `apply_v255_context_suppression` | v2.5.5 context-aware FP suppression pass — marker / test_context / ffi_kind driven
+| `src/test_context.rs` | Cross-language test-path classification (Rust / Python / Go / JS-TS / Julia / Zig / Elixir / docs-examples) + content promotion (ExUnit / unittest / pytest / `@testset`)
+| `src/comment_marker.rs` | Inline `// panic-attack: accepted [- reason]` suppression marker — `//` / `#` / `--` / `;` / `%` leaders, string-literal aware
+| `src/ffi_kind.rs` | UnsafeFFI (PA013) subtyping: BuildSystem (`build.zig` / `build.rs` — audit-accepted), RuntimeAbi (`bindings/` / `ffi/` / `sys/` / `cdef.zig`), TestMock (`tests/mocks/` / `_stub`), Unknown
+| `src/jit_context.rs` | JIT-framework classifier: Cranelift / Llvm / Wasm / Javascript / None; `transmute_targets_fn_ptr` recogniser for fn-ptr type-punning
+| `src/abi/PatternCompleteness.idr` | PA1 Idris2 proof — every Lang/Category has a detector
+| `src/abi/ClassificationSoundness.idr` | PA2 Idris2 proof — severity total order + maxSeverity commutativity
+| `src/abi/Stripping.idr` | Layer 1.0 partial — line-comment-strip foundation (shape lemma + base cases of `stripLineCommentsIdempotent` Qed-closed)
 | `src/kanren/` | Logic engine (unification, fact database, taint, cross-lang)
 | `src/kanren/core.rs` | Term, substitution, unification, FactDB, forward chaining
 | `src/kanren/taint.rs` | Source→sink tracking (user input, network, deserialization)

README.adoc

@@ -11,7 +11,7 @@ image:https://img.shields.io/badge/License-MPL--2.0-blue.svg[License: MPL-2.0,li
 image:https://api.thegreenwebfoundation.org/greencheckimage/github.com[Green Web,link="https://www.thegreenwebfoundation.org/green-web-check/?url=github.com"]
 image:https://img.shields.io/badge/status-active-green[Status]
 image:https://img.shields.io/badge/domain-security--analysis-blue[Domain]
-image:https://img.shields.io/badge/tests-782%20passing-brightgreen[Tests]
+image:https://img.shields.io/badge/tests-897%20passing-brightgreen[Tests]
 image:https://img.shields.io/badge/languages-49-blue[Languages]
 
 **panic-attack** is a multi-language security analysis and stress-testing system.
@@ -202,7 +202,8 @@ VeriSimDB remains the foundation dependency for these exports, so every snapshot
 Current state: **v2.5.0**
 
 * 32,000+ lines of Rust + Chapel
-* 782 runnable tests (per `cargo test --release -- --list`; 539 `#[test]` annotations plus doctest + integration expansions) across unit / property / e2e / aspect / integration tiers
+* 897 passing tests (per `cargo test --release`, 4 ignored; 901 runnable per `cargo test -- --list`) across unit / property / e2e / aspect / integration tiers
+* v2.5.5 cohort landed 2026-06-02: context-aware FP suppression via `test_context` / `comment_marker` / `ffi_kind` / `jit_context` modules — `// panic-attack: accepted` inline markers, automatic PanicPath suppression in test-only code, build.zig/build.rs auto-accept, Cranelift/LLVM/Wasm/JS JIT detection. See `PROOF-PROGRAMME.md` for the formal soundness landscape
 * 0 warnings
 * 25+ CLI subcommands
 * 49 supported languages (25 canonical weak-point categories PA001–PA025; `PA001b` SARIF subvariant collapses two allocation flavors under the same canonical rule)

ROADMAP.adoc

@@ -139,39 +139,39 @@ specific false positive patterns that currently inflate weak-point counts.
 Panic-attack currently flags comments that mention "unsafe" or document
 security aspects, leading to false positives in security tests.
 
-* [ ] Parse Rust/JS/Python/Julia comment syntax to exclude from unsafe detection
-* [ ] Add `// panic-attack: accepted` comment parser for explicit suppression
-* [ ] Create comment-only weak-point category for documentation review
-* [ ] Improve Zig comment parsing to reduce build.zig false positives
+* [~] Parse Rust/JS/Python/Julia comment syntax to exclude from unsafe detection — analyzer already strips comments at `src/assail/analyzer.rs:931` via `strip_proof_comments(without_strings, "//", Some(("/*", "*/")))`; PROOF-PROGRAMME Layer 1.0 mechanises the idempotence + position-preservation of this pass.
+* [x] Add `// panic-attack: accepted` comment parser for explicit suppression (#105 + #110) — `src/comment_marker.rs` recognises markers in `//` / `#` / `--` / `;` / `%` comments; `apply_v255_context_suppression` flips `WeakPoint.suppressed = true` when a marker is on the same or preceding line. String-literal aware.
+* [ ] Create comment-only weak-point category for documentation review (deferred — semantic-mismatch with the existing PA-code taxonomy; suppression-by-marker covers the immediate use case)
+* [~] Improve Zig comment parsing to reduce build.zig false positives — partially addressed via [[ffi_kind]] subtyping (build.zig → `FfiKind::BuildSystem`, audit-accepted by default); residual zig comment parsing folded into Layer 1.0 follow-up
 
 === `test_context` — Test vs production code distinction
 
 Test files should not be held to the same safety standards as production code,
 but panic-attack currently applies uniform rules.
 
-* [ ] Detect test modules (`#[cfg(test)]`, `test "..."`, `ExUnit.Case`) across languages
-* [ ] Suppress PanicPath findings in test-only code (unwrap/expect acceptable in tests)
-* [ ] Add test/production context to weak-point metadata
-* [ ] Create test-specific suppression patterns for HTTP URLs and other test data
+* [x] Detect test modules (`#[cfg(test)]`, `test "..."`, `ExUnit.Case`) across languages (#102) — `src/test_context.rs` `classify_path` covers Rust / Python / Go / JavaScript / Julia / Zig / Elixir / docs-examples paths; `content_indicates_test_scope` covers ExUnit / unittest / pytest fixture / Julia `@testset` content markers.
+* [x] Suppress PanicPath findings in test-only code (#110) — `apply_v255_context_suppression` flips `WeakPoint.suppressed = true` whenever a `PanicPath` finding's `test_context` is `TestOnly` or `Doc`.
+* [x] Add test/production context to weak-point metadata (#102 + #110) — new `WeakPoint.test_context: Option<TestContext>` field plumbed through 137 construction sites; the wire-up pass populates it for every finding with a known file path.
+* [ ] Create test-specific suppression patterns for HTTP URLs and other test data (deferred — needs a separate test-data fixture lexer; the foundation (test_context metadata) is in place to drive it)
 
 === `ffi_refinement` — Better FFI boundary detection
 
 Current FFI detection flags build system files and legitimate ABI boundaries.
 
-* [ ] Distinguish `@import("std")` from `@cImport` in Zig analyzer
-* [ ] Recognize build.zig as build-system context, not FFI usage
-* [ ] Cross-reference with `audits/audit-ffi-unsafe.md` for pre-approved boundaries
-* [ ] Add FFI category subtyping (BuildSystem, RuntimeABI, TestMock)
+* [~] Distinguish `@import("std")` from `@cImport` in Zig analyzer — analyzer's existing `@cImport`-only count at `src/assail/analyzer.rs:3993` already excludes `@import("std")`; finer-grained Zig parsing is a follow-up.
+* [x] Recognize build.zig as build-system context, not FFI usage (#106 + #110) — `FfiKind::classify_by_path` returns `BuildSystem` for `build.zig` / `build.rs`; `is_audit_accepted_by_default()` returns true; wire-up auto-suppresses.
+* [x] Cross-reference with `audits/audit-ffi-unsafe.md` for pre-approved boundaries (#106) — `is_audited_boundary(audit_text, file_path)` parses `## Approved boundaries` and `## Pre-approved boundaries` markdown sections; both `- path` and `` - `path` `` forms supported.
+* [x] Add FFI category subtyping (BuildSystem, RuntimeABI, TestMock) (#106) — `FfiKind` enum with four variants (BuildSystem / RuntimeAbi / TestMock / Unknown).
 
 === `jit_context` — JIT compilation awareness
 
 JIT compilation inherently requires unsafe code for function pointer manipulation,
 but panic-attack flags these as generic UnsafeCode findings.
 
-* [ ] Detect Cranelift/LLVM JIT compilation contexts
-* [ ] Add JIT-specific unsafe suppression for transmute patterns
-* [ ] Document JIT safety invariants in weak-point metadata
-* [ ] Create JIT category for specialized analysis
+* [x] Detect Cranelift/LLVM JIT compilation contexts (#107) — `JitContext` enum: Cranelift / Llvm / Wasm / Javascript / None; `classify_rust(content)` heuristic recognises `cranelift_jit::JITModule`, `inkwell::execution_engine`, `wasmtime::Module`, `rusty_v8::Isolate`, `boa_engine::Context`, etc.
+* [~] Add JIT-specific unsafe suppression for transmute patterns — analyzer's existing inline check at `src/assail/analyzer.rs:1117..1129` downgrades Critical → High for `mem::transmute` to function-pointer types in a Cranelift context. JitContext now provides a unified API surface; consolidation is a code-cleanup follow-up.
+* [~] Document JIT safety invariants in weak-point metadata — `JitContext::permits_fn_ptr_transmute()` exposes the structural-unsafe acceptance; explicit metadata field on `WeakPoint` is a Phase 3 follow-up.
+* [ ] Create JIT category for specialized analysis (deferred — keeping `UnsafeCode` / `UnsafeTypeCoercion` with a `JitContext` sidecar is semantically cleaner than a new top-level `WeakPointCategory`)
 
 == v3.0.0 -- Distributed Scanning