feat(audit): persist no-match + unknown-method denials (audit #31, P4)

[hyperpolymath]

Summary

Audit issue: #31 (priority 4 — provenance/audit logging coverage).

Two denial paths were previously logged via Logger but NOT persisted to
the VeriSimDB audit ledger:

1. no-match (PolicyCompiler.lookup/3 returns {:error, :no_match})
2. unknown HTTP method (safe_verb/1 returns nil; PROPFIND, MKCOL,
   REPORT, arbitrary garbage strings)

Both are the most security-relevant paths — probes for undeclared routes
or unsupported verbs are exactly the events a forensic reader most wants
to replay — yet were the ones missing from the audit stream.

Scope

• lib/http_capability_gateway/gateway.ex: VeriSimDB.audit_deny/4 calls
  on both paths, with a policy_ref discriminator
  (\"no_match\" or \"unknown_method:<METHOD>\") so audit readers can
  distinguish these from explicit-rule denials
• test/gateway_audit_paths_test.exs: 128 LoC of regression tests that
  drain the VeriSimDB ETS buffer and assert on the cast having landed
  (sys.get_state used to flush the cast queue)

Diff: 2 files, +146 LoC.

Test plan

• mix test test/gateway_audit_paths_test.exs
• mix test — confirm no existing tests broke
• Manual: tail VeriSimDB locally and confirm probes for
  /api/undeclared-route and PROPFIND / produce ledger rows
• Status: DRAFT — please do not auto-merge. Owner review only.

Echo-types audit

record-as-not-relevant. Audit-ledger persistence is a side-effect, not
a typed protocol; no L3 obligation in scope.

Refs: #31

[github-actions]

🔍 Hypatia Security Scan

Findings: 65 issues detected

Severity	Count
🔴 Critical	6
🟠 High	17
🟡 Medium	42

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Issue in boj-build.yml",
    "type": "missing_timeout_minutes",
    "file": "boj-build.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in casket-pages.yml",
    "type": "missing_timeout_minutes",
    "file": "casket-pages.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in casket-pages.yml",
    "type": "missing_timeout_minutes",
    "file": "casket-pages.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "missing_timeout_minutes",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "missing_timeout_minutes",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "missing_timeout_minutes",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "missing_timeout_minutes",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "missing_timeout_minutes",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "missing_timeout_minutes",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in governance.yml",
    "type": "missing_timeout_minutes",
    "file": "governance.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence