[pitboss/grind] deferred session-0003 (20260521T143544Z-f898)

docs/advanced-analysis.md

@@ -267,11 +267,11 @@ while the pass stabilises.
 | CLI flag | `--backwards-analysis` / `--no-backwards-analysis` |
 | Env var (legacy) | `NYX_BACKWARDS=1` |
 
-**Limitations (first cut).** Reverse call-graph expansion past a
-`ReachedParam` is deferred; the walk terminates at function parameters
-rather than crossing back into callers.  Path-constraint pruning is
-conservative: only the accumulated `PredicateSummary` bits are consulted,
-not the full symbolic predicate stack.  Depth-bounded at k=2 for
+**Limitations.** Reverse call-graph expansion stops at `ReachedParam`; the walk
+terminates at function parameters rather than crossing back into callers.
+Path-constraint pruning is conservative: only the accumulated
+`PredicateSummary` bits are consulted, not the full symbolic predicate stack.
+Depth-bounded at k=2 for
 cross-function body expansion.  See `DEFAULT_BACKWARDS_DEPTH`,
 `BACKWARDS_VALUE_BUDGET`, and `MAX_BACKWARDS_CALLEE_BLOCKS` in
 `src/taint/backwards.rs` for the exact bounds.

docs/auth.md

@@ -53,7 +53,7 @@ When a private helper is called only from authorized route handlers in the same
 
 - Iterated to a small fixpoint so transitive chains (route to mid_helper to leaf_helper) are covered.
 - Refuses to authorize helpers with no in-file caller, helpers called from a mix of authorized and unauthorized callers, and helpers called only from un-lifted helpers.
-- Cross-file equivalent is deferred.
+- Cross-file caller-scope lifting is not implemented yet.
 
 This closes the FastAPI / Django / Flask shape where a route authenticates via decorator or dependency, then delegates to a private helper that performs the sink.
 

docs/language-maturity.md

@@ -138,8 +138,7 @@ use tree-sitter and are stable; parsing is not a differentiator.
 - **Framework context**: Rails helpers (`sanitize_sql`, `permit`, `require`).
 - **Known gaps**: string interpolation inside shell and SQL strings is
   recognized structurally but not modeled as a distinct operator.
-  `begin/rescue/ensure` exception-edge wiring is documented as deferred
-  (structurally incompatible with `build_try()`).
+  `begin/rescue/ensure` exception-edge wiring is not implemented.
 
 #### Rust: 100% P / 100% R / 100% F1 *(70-case adversarial corpus)*
 

docs/serve.md

@@ -86,7 +86,7 @@ Modifiers in the ±5 range nudge the result for trend (only after the second sca
 
 It's a Nyx-finding-pressure metric, not a security audit. Score 100 means Nyx didn't find anything under its current rules and language coverage; it doesn't certify the absence of vulnerabilities. The score doesn't see runtime config, IAM, secret stores, dependency CVEs, or anything outside the source tree being scanned. A repo of mostly Kotlin (where Nyx coverage is thin) will score artificially well because most of the code never gets evaluated.
 
-Ceilings are calibrated for the current scanner false-positive rates. As symex coverage and rule precision improve, the ceilings tighten. Calibration data and the rationale behind each tunable lives in [health-score-audit.md](health-score-audit.md).
+Ceilings are calibrated for the current scanner false-positive rates. As symex coverage and rule precision improve, the ceilings may tighten.
 
 ### Findings and Finding detail