audit(assail): classify 11 audited-FP residuals from fresh 2.5.5 scan

[hyperpolymath]

Part of the estate loop repair (hyperpolymath/hypatia#458).

Extends the existing classification registry (v1.0.0 → v1.1.0, house style preserved) with the audited residuals from a fresh panic-attack 2.5.5 scan of standards — every entry inspected at source this session:

• bench/audit harnesses that eval their own embedded command tables (k9-svc/benchmarks/k9-bench.sh, a2ml/benchmarks/parser-bench.sh, rhodium-standard-repositories/rsr-audit.sh) — no external input reaches the eval;
• BoF presentation demo scripts (palimpsest-license satellites);
• demo/example code (avow-protocol/public/demo.js, avow-lib/examples/);
• build-time pandoc Lua filter (a2ml/pandoc/a2ml-filter.lua);
• audited Zig FFI boundary casts (overlay-protocol/ffi, lol/ffi) — mirrors the 007 zig_bridge.rs reference classification;
• ReScript compiler output (axel-protocol/src/Tea.res.js).

With these, standards' unsuppressed non-heuristic Critical/High = 0. The stale verisimdb-data store showed 3 Criticals for *-scm/src/abi/Foreign.idr files that no longer exist — flushed by the estate-rescan workflow in hypatia#458.

https://claude.ai/code/session_01EzjC8MEx3Kzf3pdMhaQSks

---

Generated by Claude Code

[github-actions]

🔍 Hypatia Security Scan

Findings: 137 issues detected

Severity	Count
🔴 Critical	63
🟠 High	56
🟡 Medium	18

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Issue in scorecard.yml",
    "type": "missing_workflow",
    "file": "scorecard.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Action for the check script)\n        uses: actions/checkout@df4c needs attention",
    "type": "unpinned_action",
    "file": "governance-reusable.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Action for the check script)\n        uses: actions/checkout@df4c needs attention",
    "type": "unpinned_action",
    "file": "governance-reusable.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in governance.yml",
    "type": "missing_timeout_minutes",
    "file": "governance.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in mirror.yml",
    "type": "missing_timeout_minutes",
    "file": "mirror.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in secret-scanner.yml",
    "type": "missing_timeout_minutes",
    "file": "secret-scanner.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "scorecard_publish_with_run_step",
    "file": "scorecard-enforcer.yml",
    "action": "split_scorecard_publish_job",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in instant-sync.yml",
    "type": "secret_action_without_presence_gate",
    "file": "instant-sync.yml",
    "action": "peter-evans/repository-dispatch",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Required file missing (condition: public_repo)",
    "type": "missing_requirement",
    "file": ".github/workflows/scorecard.yml",
    "action": "create",
    "rule_module": "cicd_rules",
    "severity": "high"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/standards/standards/k9-svc/bindings/deno/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence