chore: sync deno.lock, opsm-panel + audit docs

hyperpolymath · claude · hyperpolymath · commit e3317720a170 · 2026-03-30T13:28:17.000+01:00
Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/PROOF-NEEDS.md b/PROOF-NEEDS.md
@@ -0,0 +1,28 @@
+# PROOF-NEEDS.md — panll
+
+## Current State
+
+- **src/abi/**: YES — contains `cartridge-schema.json` and `README.md` (no Idris2 files)
+- **Dangerous patterns**: 0 in own code (164 references are all in UI display code that shows believe_me/Admitted counts from OTHER repos)
+- **LOC**: ~138,000 (ReScript + Rust)
+- **ABI layer**: Schema-only, no Idris2 proofs
+
+## What Needs Proving
+
+| Component | What | Why |
+|-----------|------|-----|
+| Cartridge schema validation | Cartridge loading validates against schema correctly | Malformed cartridges crash panels or produce wrong output |
+| PCC constraint propagator | Constraint propagation is sound and complete | PanLL Constraint Checker is the build-time safety net |
+| PCC ReScript scanner | Scanner correctly identifies all constraint violations | Missed violations bypass safety checks |
+| Verification Dashboard accuracy | Dashboard accurately reflects actual proof state | Displaying wrong verification state gives false confidence |
+| Provenance engine | Provenance tracking is complete and unforgeable | Provenance gaps break audit trail |
+| Gossamer coprocessor commands | Command dispatch is total (no unhandled commands) | Unhandled commands silently fail |
+| Wiring Inspector | Wiring analysis correctly identifies all connections | Missing wires mean broken panel communication |
+
+## Recommended Prover
+
+**Idris2** — Replace schema-only ABI with proper Idris2 types. PCC constraint propagation is a natural fit for formal verification. The Rust PCC tool (`tools/pcc/`) should have soundness proofs.
+
+## Priority
+
+**MEDIUM** — PanLL is the developer panel system. PCC soundness is the highest-value proof (it checks constraints across the ecosystem). The Verification Dashboard must accurately reflect proof state to avoid false confidence.
diff --git a/TEST-NEEDS.md b/TEST-NEEDS.md
@@ -0,0 +1,76 @@
+# TEST-NEEDS.md — panll
+
+> Generated 2026-03-29 by punishing audit.
+
+## Current State
+
+| Category     | Count | Notes |
+|-------------|-------|-------|
+| Unit tests   | ~20   | JS engine tests: tentacles, network_topology, level_architect, cloudguard, security, ums, automation_router, accessibility, seam, focus_dimming, help, tiling, anti_crash, contractiles, orbital_sync, menu_bar |
+| Integration  | ~6    | TEA framework: tea_app_test, tea_cmd_test, tea_sub_test, tea_render_test |
+| E2E          | 0     | None |
+| Benchmarks   | 0     | Files named "Workbench" are components, NOT benchmarks |
+
+**Source modules:** ~686 ReScript .res files (not counting compiled .res.js). Massive TEA architecture with engines, models, views, components, core modules. Also: 116 Rust files, 15 Elixir, 5 Zig FFI, Idris2 ABI.
+
+## What's Missing
+
+### P2P (Property-Based) Tests
+- [ ] TEA Model: property tests for state transition invariants
+- [ ] Panel layout: property tests for tiling constraints (no overlapping, no gaps)
+- [ ] Network topology: graph property tests (connectivity, acyclicity where required)
+- [ ] Security engine: policy evaluation property tests
+
+### E2E Tests
+- [ ] Full panel lifecycle: create -> layout -> interact -> resize -> close
+- [ ] Multi-panel: open multiple panels, tile, switch focus, close
+- [ ] Accessibility: keyboard navigation through all panel types
+- [ ] Theme/variant: each visual theme renders correctly
+- [ ] Gossamer integration: panel communication round-trips
+
+### Aspect Tests
+- **Security:** 1 security_engine_test exists but for 686 modules — ZERO tests for panel isolation, IPC sanitization, plugin sandboxing
+- **Performance:** ZERO benchmarks. No render frame budget tests, no panel creation overhead measurement, no memory leak detection for long-running sessions
+- **Concurrency:** No tests for concurrent panel operations, WebSocket message ordering, subscription race conditions
+- **Error handling:** 1 anti_crash_test exists. No tests for panel crash recovery, malformed IPC messages, subscription failure handling
+
+### Build & Execution
+- [ ] ReScript build (686 modules!)
+- [ ] JS test runner for tests/
+- [ ] Rust cargo test
+- [ ] Elixir mix test
+
+### Benchmarks Needed
+- [ ] Panel creation/destruction time
+- [ ] TEA update cycle latency
+- [ ] Render time per panel type
+- [ ] IPC message throughput
+- [ ] Memory usage per panel count
+- [ ] Layout algorithm time vs panel count
+
+### Self-Tests
+- [ ] Panel manifest validation
+- [ ] TEA framework self-test (model/view/update cycle)
+- [ ] Component registry consistency
+- [ ] Accessibility compliance check (WCAG)
+
+### CRITICAL GAPS
+
+| Area | Modules | Tests | Coverage |
+|------|---------|-------|----------|
+| Components (.res) | ~200+ | 0 direct | **0%** |
+| Core engines | ~50+ | ~16 | **~32%** |
+| Models | ~100+ | 0 direct | **0%** |
+| Views | ~100+ | 0 direct | **0%** |
+| TEA framework | ~20 | 4 | **20%** |
+| Rust crates | 116 files | 0 | **0%** |
+
+## Priority
+
+**CRITICAL.** 686 ReScript modules with ~26 test files is 3.8% coverage. The TEA engine tests are a good start but the component, model, and view layers are completely untested. 116 Rust files with ZERO tests. ZERO benchmarks for a UI framework where performance is user-visible. The "DebuggingWorkbench" and "ExploratoryWorkbench" files in bench results are components, not benchmarks — do not be fooled.
+
+## FAKE-FUZZ ALERT
+
+- `tests/fuzz/placeholder.txt` is a scorecard placeholder inherited from rsr-template-repo — it does NOT provide real fuzz testing
+- Replace with an actual fuzz harness (see rsr-template-repo/tests/fuzz/README.adoc) or remove the file
+- Priority: P2 — creates false impression of fuzz coverage
diff --git a/deno.lock b/deno.lock
diff --git a/public/opsm-panel.html b/public/opsm-panel.html
@@ -248,20 +248,38 @@
 
     const panll = window.__panll || null;
 
-    // Gossamer IPC helper — invokes opsm-runtime via the shell-exec handler
+    // IPC helper — invokes opsm_runtime via Gossamer, Tauri, or PanLL bridge
+    // Tries each runtime in priority order (Gossamer > Tauri > PanLL)
     async function opsmInvoke(cmd, tool, version) {
+      const payload = { cmd };
+      if (tool) payload.tool = tool;
+      if (version) payload.version = version;
+
+      // 1. Gossamer runtime (preferred)
       if (typeof window.__gossamer_invoke === 'function') {
-        const payload = { cmd };
-        if (tool) payload.tool = tool;
-        if (version) payload.version = version;
         const result = await window.__gossamer_invoke('opsm_runtime', payload);
-        // Result is JSON: {output: "...", exit_code: 0}
         if (typeof result === 'string') {
           try { return JSON.parse(result); } catch(_) { return { output: result, exit_code: 0 }; }
         }
         return result;
       }
-      throw new Error('Gossamer IPC not available — run PanLL via gossamer dev');
+
+      // 2. Tauri runtime (mobile/desktop app)
+      if (window.__TAURI_INTERNALS__ && window.__TAURI_INTERNALS__.invoke) {
+        const result = await window.__TAURI_INTERNALS__.invoke('opsm_runtime', payload);
+        return result;
+      }
+
+      // 3. PanLL IPC bridge
+      if (panll && typeof panll.invoke === 'function') {
+        const result = await panll.invoke('opsm_runtime', payload);
+        if (typeof result === 'string') {
+          try { return JSON.parse(result); } catch(_) { return { output: result, exit_code: 0 }; }
+        }
+        return result;
+      }
+
+      throw new Error('No IPC runtime available — run via PanLL, Gossamer, or Tauri');
     }
 
     // --- Tab switching ---
