fix(security): restore archive and export findings

[mldangelo-oai]

Summary

• let the PyTorch ZIP scanner inspect central/local size mismatches so malformed symlink targets still produce security findings, while generic ZIP scans continue to reject hidden or ambiguous entries
• scan each validated ZIP segment in concatenated HDF5 user blocks so earlier malicious members are not hidden by the final central directory
• prevent exported source redaction from treating comparisons as assignments or leaking suffixes appended to quoted redaction markers
• make CatBoost subprocess tests explicitly UTF-8 on Windows and satisfy the standalone picklescan type-check lane
• stop rescanning complete encoded pickles at interior Base64 windows and preserve complete raw nested-pickle analysis under the dedicated nested byte budget

Validation

• ruff format --check modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
• ruff check modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
• mypy --platform linux modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
• 1,703 ZIP and PyTorch ZIP scanner tests
• 838 SARIF redaction and CatBoost tests
• 20 HDF5 user-block routing tests
• 57 standalone picklescan safe-spec tests
• 163 Rust scanner tests
• 2,244 standalone picklescan Python tests
• exact nested-pickle regressions under Python 3.13

The full fast suite reached 5,918 passes before xdist stopped on three cache-state failures. One passed immediately when rerun serially; the other two reproduce unchanged on origin/main with the same macOS interpreter.

[github-actions]

Workflow run and artifacts

Performance Benchmarks

Compared 12 shared benchmarks with a regression threshold of 15%.
Status: 0 regressions, 0 improved, 12 stable, 0 new, 0 missing.
Aggregate shared-benchmark median: 1.415s -> 1.398s (-1.2%).

Workload	Benchmark	Target	Size	Files	Baseline	Current	Change	Status
nested-payload-review	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_base64]	nested_base64	98 B	1	488.3us	468.1us	-4.1%	stable
clean-training-checkpoint	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_clean_training_checkpoint	safe_large	278.2 KiB	1	112.03ms	109.94ms	-1.9%	stable
chunked-upload-stream	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_chunked_upload_stream	chunked_stream	278.2 KiB	1	114.88ms	112.86ms	-1.8%	stable
direct-malicious-upload	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_direct_malicious_upload	malicious_reduce	52 B	1	431.2us	438.8us	+1.7%	stable
suspicious-pickle-intake	tests/benchmarks/test_scan_benchmarks.py::test_scan_suspicious_pickle_intake	suspicious-intake	183.8 KiB	4	141.87ms	139.97ms	-1.3%	stable
duplicate-heavy-registry	tests/benchmarks/test_scan_benchmarks.py::test_scan_duplicate_registry_snapshot	registry-snapshot	915.2 KiB	13	399.38ms	394.11ms	-1.3%	stable
mixed-model-repository	tests/benchmarks/test_scan_benchmarks.py::test_scan_release_candidate_repository	release-candidate	547.3 KiB	32	475.43ms	470.70ms	-1.0%	stable
single-checkpoint-preflight	tests/benchmarks/test_scan_benchmarks.py::test_scan_single_checkpoint_before_load	single_checkpoint.pkl	183.0 KiB	1	72.49ms	71.90ms	-0.8%	stable
nested-payload-review	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_hex]	nested_hex	130 B	1	498.4us	500.3us	+0.4%	stable
nested-payload-review	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_raw]	nested_raw	78 B	1	473.1us	474.0us	+0.2%	stable
warm-cache-rescan	tests/benchmarks/test_scan_benchmarks.py::test_scan_warm_cached_repository_rescan	release-candidate	547.3 KiB	32	96.37ms	96.48ms	+0.1%	stable
padded-multi-stream-upload	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_padded_multi_stream_upload	multi_stream_padded	4.1 KiB	1	535.2us	534.7us	-0.1%	stable

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e3454d8782

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f9b8eb3f94

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Surface mismatched ZIP symlinks in scan

When a mismatched symlink is scanned via ZipScanner.scan (generic ZIP/core preflight), this helper is bypassed; scan catches _InvalidZipDirectory separately and emits only S902, so the unsafe link is not surfaced as critical S406. Apply the same mapping in that path. guidance

Useful? React with 👍 / 👎.