fix(vclt-gate): reject on levels[].status=="fail", not never-emitted "admitted"

[hyperpolymath]

Fixes a cross-repo seam bug between the vcl-ut gate producer and this consumer that was invisible to both CIs.

VCLTGate.extract_reasons rejected levels where l["admitted"] == true, but the vcl-ut vclt-gate producer never emits an admitted key — it emits per-level status in {"pass","fail"}. So Enum.reject kept every level and the rejection-reasons list included passing levels.

• Consumer: Enum.reject(admitted==true) → Enum.filter(status=="fail"), so failed holds the genuinely-failing levels.
• Test: the stub fabricated an "admitted" key (which masked the drift); updated to the real {"status":"fail"} schema.

The matching producer-side status schema is in vcl-ut (src/interface/parse/src/bin/vclt-gate.rs). Local mix test couldn't run here (deps not fetched in the offline env); the logic change is a one-liner verified by standalone elixir execution.

🤖 Generated with Claude Code

[github-actions]

🔍 Hypatia Security Scan

Findings: 173 issues detected

Severity	Count
🔴 Critical	17
🟠 High	81
🟡 Medium	75

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "scorecard_publish_with_run_step",
    "file": "scorecard-enforcer.yml",
    "action": "split_scorecard_publish_job",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in instant-sync.yml",
    "type": "secret_action_without_presence_gate",
    "file": "instant-sync.yml",
    "action": "peter-evans/repository-dispatch",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "codeql_missing_actions_language",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "User-defined Coq axiom -- not verified by kernel (1 occurrences, CWE-704)",
    "type": "coq_axiom",
    "file": "/home/runner/work/verisimdb/verisimdb/formal/Provenance.v",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "User-defined Coq axiom -- not verified by kernel (2 occurrences, CWE-704)",
    "type": "coq_axiom",
    "file": "/home/runner/work/verisimdb/verisimdb/formal/PlannerSemantic.v",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "User-defined Coq axiom -- not verified by kernel (1 occurrences, CWE-704)",
    "type": "coq_axiom",
    "file": "/home/runner/work/verisimdb/verisimdb/formal/Planner.v",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "User-defined Coq axiom -- not verified by kernel (6 occurrences, CWE-704)",
    "type": "coq_axiom",
    "file": "/home/runner/work/verisimdb/verisimdb/formal/Drift.v",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "User-defined Coq axiom -- not verified by kernel (1 occurrences, CWE-704)",
    "type": "coq_axiom",
    "file": "/home/runner/work/verisimdb/verisimdb/formal/WAL.v",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "User-defined Coq axiom -- not verified by kernel (2 occurrences, CWE-704)",
    "type": "coq_axiom",
    "file": "/home/runner/work/verisimdb/verisimdb/formal/Normalizer.v",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "getExn on external data -- use pattern matching (1 occurrences, CWE-754)",
    "type": "getexn_on_external",
    "file": "/home/runner/work/verisimdb/verisimdb/src/registry/Registry.res",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence