feat: panicbot integration, attestation, assemblyline, SARIF, i18n, notify pipeline

Major additions from sessions 8-9:
- Panicbot integration: JSON contract (PA001-PA020), bot directives, diagnostics check
- Assemblyline batch scanning: rayon parallelism (17.7x speedup), BLAKE3 fingerprinting
- SARIF output format for GitHub Security tab
- Notification pipeline: markdown summaries, critical-only filtering, GitHub issues
- Cryptographic attestation chain: intent → evidence → seal (optional Ed25519)
- i18n support: ISO 639-1, 10 languages, compile-time safe catalog
- Machine-verifiable readiness tests: 18 CRG grade tests (D/C/B) + justfile recipes
- Manifest-first framework detection: eliminates self-referential false positives
- Full documentation update: ROADMAP, TOPOLOGY, CHANGELOG, CONTRIBUTING, META.scm,
  ECOSYSTEM.scm, STATE.scm, AI.a2ml, CLAUDE.md, README.md, DESIGN.md, VISION.md
- Zero compiler warnings, 269 tests passing

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: hyperpolymath

.claude/CLAUDE.md

@@ -19,7 +19,7 @@ Static analysis and bug signature detection tool. Scans source code for weak poi
 
 ```
 src/
-├── main.rs              # CLI entry point (clap)
+├── main.rs              # CLI entry point (clap) — 20 subcommands
 ├── lib.rs               # Library API
 ├── types.rs             # Core types (AssailReport, WeakPoint, etc.)
 ├── assail/              # Static analysis engine
@@ -38,10 +38,29 @@ src/
 ├── signatures/          # Logic-based bug signature detection
 │   ├── engine.rs        # SignatureEngine (use-after-free, deadlock, etc.)
 │   └── rules.rs         # Detection rules
-└── report/
-    ├── mod.rs           # Report generation API
-    ├── generator.rs     # AssaultReport builder
-    └── formatter.rs     # Output formatting (text + JSON)
+├── report/              # Report generation and output
+│   ├── mod.rs           # Report generation API
+│   ├── generator.rs     # AssaultReport builder
+│   └── formatter.rs     # Output formatting (text + JSON)
+├── assemblyline.rs      # Batch scanning with rayon parallelism + BLAKE3
+├── notify.rs            # Designer notification pipeline (markdown + GitHub issues)
+├── attestation/         # Cryptographic attestation chain
+│   ├── mod.rs           # Three-phase chain: intent → evidence → seal
+│   ├── intent.rs        # Pre-execution commitment
+│   ├── evidence.rs      # Rolling hash accumulator
+│   ├── seal.rs          # Post-execution binding
+│   ├── chain.rs         # Chain builder orchestration
+│   └── envelope.rs      # A2ML envelope wrapper
+├── ambush/              # Ambient stressors + DAW-style timeline
+├── amuck/               # Mutation combinations
+├── abduct/              # Isolation + time-skew
+├── adjudicate/          # Campaign verdict aggregation
+├── axial/               # Reaction observation
+├── a2ml/                # AI manifest protocol
+├── panll/               # PanLL event-chain export
+├── storage/             # Filesystem + VerisimDB persistence
+├── i18n/                # Multi-language support (ISO 639-1, 10 languages)
+└── diagnostics.rs       # Self-check for Hypatia/gitbot-fleet
 ```
 
 ## Build & Test
@@ -79,23 +98,37 @@ The kanren module provides:
 
 ## Planned Features (Next Priorities)
 
-1. **`sweep` subcommand**: Scan entire directory of git repos in one go
-2. **verisimdb integration**: Push results as hexads to verisimdb API
-3. **hypatia pipeline**: Feed results through rule engine for pattern detection
-4. **SARIF output**: GitHub Security tab integration
-5. **RSR compliance**: Standard workflows, docs, shell completions
+1. **verisimdb API integration**: Push scan results as hexads directly
+2. **Incremental assemblyline**: BLAKE3 delta scanning (skip unchanged repos)
+3. **kanren context-facts**: ~10 rules for FP suppression (~8% -> ~2-3%)
+4. **hypatia pipeline**: Export kanren facts as Logtalk predicates via PanLL
+5. **Shell completions**: bash, zsh, fish, nushell
 
 ## Integration Points
 
-- **verisimdb**: Store scan results as hexads (document + semantic modalities)
-- **hypatia**: Neurosymbolic rule engine processes findings
-- **echidnabot**: Proof verification of scan claims
-- **sustainabot**: Ecological/economic code health metrics
+- **panicbot**: gitbot-fleet verifier bot — invokes `panic-attack assail --output-format json`, translates WeakPoints to Findings (PA001-PA020). Directives at `.machine_readable/bot_directives/panicbot.scm`
+- **verisimdb**: Store scan results as hexads (document + semantic modalities). File I/O works, API planned
+- **hypatia**: Neurosymbolic rule engine processes findings. Env var watcher in diagnostics
+- **panll**: Event-chain export for three-pane visualisation. Working via `panll` subcommand
+- **assemblyline**: Batch scanning of repo directories. Rayon parallelism, BLAKE3 fingerprinting
+- **notify**: Notification pipeline. Assemblyline -> markdown summaries -> GitHub issues
+- **attestation**: Cryptographic chain (intent/evidence/seal). Optional Ed25519 signing
+- **echidnabot**: Proof verification of scan claims (planned)
 - **hardware-crash-team**: Sibling tool (hardware diagnostics vs software analysis)
 
+## Readiness Tests (CRG)
+
+Machine-verifiable Component Readiness Grade tests in `tests/readiness.rs`:
+- **Grade D (Alpha)**: Component runs without crashing on valid input
+- **Grade C (Beta)**: Component produces correct output on representative input
+- **Grade B (RC)**: Component handles edge cases and multiple input types
+
+Run with `just readiness` or `just readiness-summary`.
+
 ## Code Style
 
 - SPDX headers on all files: `PMPL-1.0-or-later`
-- Author: Jonathan D.A. Jewell <jonathan.jewell@open.ac.uk>
+- Author: Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
 - Use anyhow::Result for error handling
 - Serde derive on public types for JSON serialization
+- Zero compiler warnings policy (release + test builds)

.gitignore

@@ -1 +1,5 @@
 /target
+/reports/
+/verisimdb-data/
+/runtime/
+/panll-event-chain.json

.machine_readable/ECOSYSTEM.scm

@@ -49,7 +49,21 @@
       (relationship "consumer")
       (integration "bots can trigger panic-attack scans via repository_dispatch")
       (url "https://github.com/hyperpolymath/gitbot-fleet")
-      (description "Repository automation bots (rhodibot, echidnabot, etc.)"))
+      (description "Repository automation bots (rhodibot, echidnabot, panicbot, etc.)"))
+
+    (project
+      (name "panicbot")
+      (relationship "direct-consumer")
+      (integration "invokes `panic-attack assail --output-format json`, translates WeakPoints to fleet Findings via PA001–PA020 rule mapping")
+      (url "https://github.com/hyperpolymath/gitbot-fleet")
+      (description "Tier-4 verifier bot in gitbot-fleet — static analysis auditing via panic-attack")
+      (interface
+        (protocol "subprocess")
+        (command "panic-attack assail <target> --output-format json")
+        (output-format "AssailReport JSON (flat or assault envelope)")
+        (category-mapping "WeakPointCategory → PA001–PA020 rule IDs")
+        (severity-mapping "PascalCase → lowercase → fleet severity levels")
+        (directives ".machine_readable/bot_directives/panicbot.scm")))
 
     (project
       (name "ambientops")
@@ -102,61 +116,43 @@
 
   (dependencies
     (runtime
-      (dependency
-        (name "encoding_rs")
-        (version "0.8")
-        (purpose "Latin-1 fallback for non-UTF-8 files"))
-      (dependency
-        (name "clap")
-        (version "4.5")
-        (purpose "CLI argument parsing"))
-      (dependency
-        (name "colored")
-        (version "2.1")
-        (purpose "Terminal output formatting"))
-      (dependency
-        (name "regex")
-        (version "1.10")
-        (purpose "Pattern matching in source code"))
-      (dependency
-        (name "serde")
-        (version "1.0")
-        (purpose "JSON serialization"))
-      (dependency
-        (name "anyhow")
-        (version "1.0")
-        (purpose "Error handling"))
-      (dependency
-        (name "chrono")
-        (version "0.4")
-        (purpose "Timestamp generation")))
+      (dependency (name "clap") (version "4.5") (purpose "CLI argument parsing"))
+      (dependency (name "serde") (version "1.0") (purpose "JSON/YAML serialization"))
+      (dependency (name "serde_json") (version "1.0") (purpose "JSON output"))
+      (dependency (name "serde_yaml") (version "0.9") (purpose "YAML output"))
+      (dependency (name "anyhow") (version "1.0") (purpose "Error handling"))
+      (dependency (name "regex") (version "1.10") (purpose "Pattern matching in source code"))
+      (dependency (name "colored") (version "2.1") (purpose "Terminal output formatting"))
+      (dependency (name "chrono") (version "0.4") (purpose "Timestamp generation"))
+      (dependency (name "encoding_rs") (version "0.8") (purpose "Latin-1 fallback for non-UTF-8 files"))
+      (dependency (name "rayon") (version "1.10") (purpose "Parallel batch scanning"))
+      (dependency (name "blake3") (version "1.5") (purpose "Source fingerprinting for incremental scans"))
+      (dependency (name "sha2") (version "0.10") (purpose "Attestation hashing"))
+      (dependency (name "hex") (version "0.4") (purpose "Hex encoding for attestation"))
+      (dependency (name "getrandom") (version "0.2") (purpose "Attestation nonce generation"))
+      (dependency (name "crossterm") (version "0.26") (purpose "TUI terminal control"))
+      (dependency (name "eframe") (version "0.27") (purpose "GUI viewer"))
+      (dependency (name "filetime") (version "0.2") (purpose "Abduct timestamp manipulation"))
+      (dependency (name "ed25519-dalek") (version "2.1") (purpose "Optional Ed25519 signing for attestation")))
 
     (development
-      (dependency
-        (name "tempfile")
-        (version "3.8")
-        (purpose "Temporary files in tests"))))
+      (dependency (name "tempfile") (version "3.8") (purpose "Temporary files in tests"))))
 
   (future-integrations
-    (integration
-      (name "sweep subcommand")
-      (status "planned-v2.1")
-      (description "Bulk scanning of directory-of-repos with aggregated results"))
-
     (integration
       (name "verisimdb API push")
       (status "planned-v2.1")
       (description "Push scan results as hexads directly to verisimdb API"))
 
     (integration
       (name "hypatia pipeline")
-      (status "planned-v2.1")
-      (description "Feed kanren facts as Logtalk predicates to hypatia rule engine"))
+      (status "planned-v2.2")
+      (description "Feed kanren facts as Logtalk predicates to hypatia rule engine via PanLL"))
 
     (integration
-      (name "SARIF output")
+      (name "kanren context-facts")
       (status "planned-v2.2")
-      (description "SARIF output for GitHub Security tab and CodeQL integration"))
+      (description "~10 context rules for false positive suppression (8% -> 2-3%)"))
 
     (integration
       (name "crates.io")
@@ -182,7 +178,7 @@
 
   (metadata
     (created "2026-02-07")
-    (updated "2026-02-09")
-    (maintainer "Jonathan D.A. Jewell <jonathan.jewell@open.ac.uk>")
+    (updated "2026-03-01")
+    (maintainer "Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>")
     (license "PMPL-1.0-or-later")
     (repository "https://github.com/hyperpolymath/panic-attacker")))

.machine_readable/META.scm

@@ -136,7 +136,96 @@
         "Covers all languages in hyperpolymath ecosystem"
         "20 weak point categories (up from ~5)"
         "Per-file language detection with family-specific patterns"
-        "Cross-language analysis possible via kanren engine")))
+        "Cross-language analysis possible via kanren engine"))
+
+    (adr
+      (id "ADR-011")
+      (date "2026-03-01")
+      (status "accepted")
+      (title "Assemblyline batch scanning with rayon parallelism and BLAKE3 fingerprinting")
+      (context "Need to scan 100+ repos efficiently; sequential scanning too slow")
+      (decision "Use rayon for parallel repo scanning, BLAKE3 for source fingerprinting to enable incremental rescans")
+      (consequences
+        "17.7x speedup (141 repos in 39.9s vs ~705s sequential)"
+        "BLAKE3 fingerprint infrastructure for future delta scanning"
+        "Sorted output: riskiest repos first"
+        "JSON aggregate report with per-repo breakdowns"))
+
+    (adr
+      (id "ADR-012")
+      (date "2026-03-01")
+      (status "accepted")
+      (title "SARIF output format for standardised security reporting")
+      (context "GitHub Security tab requires SARIF for code scanning integration")
+      (decision "Implement SARIF 2.1.0 output via --output-format sarif")
+      (consequences
+        "GitHub Security tab integration via codeql-action/upload-sarif"
+        "Standard format consumed by multiple security tools"
+        "Rules deduplicated by WeakPointCategory"))
+
+    (adr
+      (id "ADR-013")
+      (date "2026-03-01")
+      (status "accepted")
+      (title "Cryptographic attestation chain (intent/evidence/seal)")
+      (context "Need to prove scans are genuine and untampered for trust chain")
+      (decision "Three-phase model: intent (pre-commit), evidence (rolling hash), seal (post-bind)")
+      (consequences
+        "Scans are cryptographically bound to inputs and outputs"
+        "Optional Ed25519 signing via --features signing"
+        "A2ML envelope wraps attestation for transport"
+        "Diagnostics checks signing health"))
+
+    (adr
+      (id "ADR-014")
+      (date "2026-03-01")
+      (status "accepted")
+      (title "i18n support using ISO 639-1 (10-language catalog)")
+      (context "Potential for non-English-speaking users; internationalisation should be built in early")
+      (decision "Compile-time safe catalog with t() and t_or_key() lookups, 10 languages")
+      (consequences
+        "All user-facing strings translatable"
+        "Doc-tested examples ensure catalog stays valid"
+        "ISO 639-1 validation for language codes"))
+
+    (adr
+      (id "ADR-015")
+      (date "2026-03-01")
+      (status "accepted")
+      (title "Notification pipeline (markdown-first, critical-only filtering)")
+      (context "Assemblyline produces aggregate reports; need human-readable summaries and actionable alerts")
+      (decision "notify subcommand generates markdown with severity breakdown, optional critical-only filter, optional GitHub issue creation")
+      (consequences
+        "Markdown output works in GitHub, email, Slack, etc."
+        "--critical-only reduces noise to actionable items only"
+        "GitHub issue creation automates remediation workflow"))
+
+    (adr
+      (id "ADR-016")
+      (date "2026-03-01")
+      (status "accepted")
+      (title "Manifest-first framework detection (fixes false positives)")
+      (context "Source-level substring matching caused self-referential false positives (analyzer detecting its own patterns)")
+      (decision "Primary detection from dependency manifests (Cargo.toml, mix.exs, package.json, etc.); Rust excluded from source scanning entirely")
+      (consequences
+        "Eliminates self-referential false positives"
+        "Cargo.toml detection is authoritative for Rust"
+        "Source scanning kept for BEAM, Go, Ruby, Python, JS only"
+        "~8% overall FP rate (down from higher)"))
+
+    (adr
+      (id "ADR-017")
+      (date "2026-03-01")
+      (status "accepted")
+      (title "Machine-verifiable readiness tests (CRG grades D/C/B)")
+      (context "Need automated evidence for Component Readiness Grading")
+      (decision "tests/readiness.rs with grade-prefixed test names; justfile recipes for summary output")
+      (consequences
+        "CRG grades derivable from test results"
+        "D (Alpha): component runs without crashing"
+        "C (Beta): correct output on representative input"
+        "B (RC): edge cases and multi-language support"
+        "18 tests across 3 grades, automated via just readiness-summary")))
 
   (development-practices
     (practice
@@ -150,7 +239,7 @@
       (description "All features must have tests")
       (rationale "Untested code is untrusted code")
       (target "80% code coverage")
-      (current "30 tests: 16 unit + 11 analyzer + 3 integration"))
+      (current "269 tests: unit, integration, analyzer, readiness (CRG D/C/B), SARIF, PanLL, report, assemblyline, pattern"))
 
     (practice
       (name "RSR compliance")
@@ -168,7 +257,7 @@
       (rationale "Predictable releases, clear breaking changes")
       (policy
         "1.x = stable foundation, naming finalised"
-        "2.x = major feature expansion (logic engine, 47 langs)"
+        "2.x = major feature expansion (logic engine, 47 langs, batch scanning, attestation)"
         "3.0 = public release (crates.io)"))
 
     (practice
@@ -184,7 +273,7 @@
       (name "Eat your own dogfood")
       (description "Run panic-attack on panic-attack itself")
       (rationale "Find bugs, validate thresholds, prove usefulness")
-      (status "active: self-scan shows 3 weak points")))
+      (status "active: self-scan shows 30 findings, ~8% false positive rate")))
 
   (design-rationale
     (rationale
@@ -214,10 +303,22 @@
       (current "47 languages: BEAM, ML, Lisp, Functional, Proof, Logic, Systems, Config, Scripting, NextGen DSLs")
       (benefit "Cross-language vulnerability detection via kanren engine"))
 
+    (rationale
+      (aspect "Manifest-first framework detection")
+      (reasoning "Source-level substring matching causes self-referential false positives when the analyzer scans its own code")
+      (decision "Use dependency manifests (Cargo.toml, mix.exs, etc.) as primary signal; exclude Rust from source scanning")
+      (benefit "Eliminates FPs from string literals containing detection patterns"))
+
+    (rationale
+      (aspect "Cryptographic attestation")
+      (reasoning "Prove scans are genuine and untampered for CI/CD trust chains")
+      (components "intent.rs (pre-commit), evidence.rs (rolling hash), seal.rs (post-bind), chain.rs (orchestration), envelope.rs (A2ML wrapper)")
+      (benefit "Scans can be verified by echidnabot or other proof verifiers"))
+
     (rationale
       (aspect "CLI + library")
       (reasoning "Useful standalone and as integration component")
-      (benefit "src/lib.rs enables testing, hypatia integration, verisimdb pipeline")))
+      (benefit "src/lib.rs enables testing, hypatia integration, verisimdb pipeline, panicbot subprocess invocation")))
 
   (cross-cutting-concerns
     (concern
@@ -227,13 +328,13 @@
 
     (concern
       (name "Performance")
-      (approach "Reasonable defaults, search strategy optimisation via kanren")
-      (current "Single-threaded file analysis with risk-weighted prioritisation")
-      (future "rayon for parallel assail analysis"))
+      (approach "Rayon parallelism for batch scanning, search strategy optimisation via kanren")
+      (current "Parallel assemblyline scanning (17.7x speedup); single-threaded per-file analysis with risk-weighted prioritisation")
+      (future "Incremental analysis via BLAKE3 delta fingerprinting"))
 
     (concern
       (name "Security")
-      (approach "cargo-audit in CI, SBOM generation, self-testing")
+      (approach "cargo-audit in CI, SBOM generation, self-testing, attestation chain")
       (policy "No unsafe code in panic-attack itself except when required for FFI"))
 
     (concern
@@ -246,10 +347,10 @@
       (name "Extensibility")
       (approach "Pattern library, kanren rule system, pluggable analyzers")
       (current "miniKanren rules for taint, cross-language, and strategy")
-      (future "User-definable rules, plugin system")))
+      (future "User-definable rules, plugin system, context-fact FP suppression")))
 
   (metadata
     (created "2026-02-07")
-    (updated "2026-02-08")
-    (maintainer "Jonathan D.A. Jewell <jonathan.jewell@open.ac.uk>")
+    (updated "2026-03-01")
+    (maintainer "Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>")
     (license "PMPL-1.0-or-later")))