From 517d937438e6806a6e566966b104964adc2661ac Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Tue, 26 May 2026 09:15:10 +0100
Subject: [PATCH] audit: classify 2 FFI unsafe findings as legitimate
 (PA001/PA007)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

panic-attack assail flags 2 UnsafeCode/UnsafeFFI Critical/High findings
under ffi/zig/src/ — all at the Zig→C ABI boundary for the Idris2 backend
(cartridge runtime, federation, etc.).

This classification is separate from the class-J primitive axioms tracked in
the backend-assurance harness; that concerns the Idris2 trusted base, not the
Zig FFI layer.

Adds:
- audits/assail-classifications.a2ml (2 entries, classification=legitimate-ffi)
- audits/audit-ffi-2026-05-26.md

Refs hyperpolymath/panic-attack#32.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 audits/assail-classifications.a2ml | 24 ++++++++++++++++++++++++
 audits/audit-ffi-2026-05-26.md     | 19 +++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 audits/assail-classifications.a2ml
 create mode 100644 audits/audit-ffi-2026-05-26.md

diff --git a/audits/assail-classifications.a2ml b/audits/assail-classifications.a2ml
new file mode 100644
index 00000000..7fbd7a72
--- /dev/null
+++ b/audits/assail-classifications.a2ml
@@ -0,0 +1,24 @@
+;; SPDX-License-Identifier: MPL-2.0
+;; Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
+
+(assail-classifications
+  (metadata
+    (version "1.0.0")
+    (project "boj-server")
+    (last-updated "2026-05-26")
+    (entries 2)
+    (status "active"))
+
+  (classification
+    (file "ffi/zig/src/federation.zig")
+    (category "UnsafeCode")
+    (classification "legitimate-ffi")
+    (audit "audits/audit-ffi-2026-05-26.md")
+    (rationale "Zig FFI bridge to boj-server's Idris2 backend (cartridge runtime, federation, etc.). Each unsafe pointer cast is at the Zig→C ABI boundary required to call into libboj-server."))
+  (classification
+    (file "ffi/zig/src/cartridge_shim.zig")
+    (category "UnsafeCode")
+    (classification "legitimate-ffi")
+    (audit "audits/audit-ffi-2026-05-26.md")
+    (rationale "Zig FFI bridge to boj-server's Idris2 backend (cartridge runtime, federation, etc.). Each unsafe pointer cast is at the Zig→C ABI boundary required to call into libboj-server."))
+)
diff --git a/audits/audit-ffi-2026-05-26.md b/audits/audit-ffi-2026-05-26.md
new file mode 100644
index 00000000..7616cb6b
--- /dev/null
+++ b/audits/audit-ffi-2026-05-26.md
@@ -0,0 +1,19 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
+-->
+
+# Audit: FFI unsafe blocks (boj-server)
+
+**Auditor**: Jonathan D.A. Jewell  
+**Date**: 2026-05-26  
+**Scope**: panic-attack assail Critical/High UnsafeCode/UnsafeFFI findings under `ffi/zig/src/`.  
+**Registry**: `audits/assail-classifications.a2ml`.
+
+## Rationale
+
+Zig FFI bridge to boj-server's Idris2 backend (cartridge runtime, federation, etc.). Each unsafe pointer cast sits at the Zig→C ABI boundary and is required by Zig to call into `libboj-server`.
+
+This classification is **separate from** the class-J primitive axioms tracked in the backend-assurance harness; those concern the Idris2 trusted base, not the Zig FFI layer.
+
+Refs hyperpolymath/panic-attack#32.