fix(io_boundary): reclassify Python stdio from ipc_send to logging (WI-tolif)

The 2026-04-23 self-audit found that 70 of hypergumbo's 77 ipc_send
chains were just sys.stderr writes — cli.py progress output,
warnings, error messages. Same false-positive class that drove Go's
log / log/slog / fmt to be moved out of ipc_send into the dedicated
logging boundary back when alertmanager was producing 134 such FPs
(see test_go_catalog_slog_logging).

Move sys.stdout and sys.stderr from python.yaml#ipc_send to a new
python.yaml#logging block. sys.stdin stays in ipc_recv — it CAN
receive untrusted piped input from the parent process, which is a
real IPC threat-model concern, not a cosmetic one.

No taint-flow regression: AUTO_SINK_ZONE_MAP intentionally does not
include 'logging' (matching how Go's log writes are treated), so
moving stdio there means hypergumbo no longer auto-derives stdio as
a taint sink. Project-local catalogs that want stdout/stderr treated
as a disclosure sink can still declare their own taint_sinks entries
via verify-claims --taint-sinks (WI-votan flag).

Cross-language analogs (c.yaml, javascript.yaml, rust.yaml,
scala.yaml, elixir.yaml, haskell.yaml) tracked as scope-expansion
WI-dutah for a follow-up PR.

Signed-off-by: jgstern-agent <josh-agent@iterabloom.com>

Author: jgstern-agent

.ci/affected-tests.txt

@@ -1,5 +1,5 @@
 # Test selection manifest
-# Generated by smart-test at 2026-04-23T16:34:08-04:00
+# Generated by smart-test at 2026-04-23T16:51:30-04:00
 # Mode: targeted
 # Baseline: 7155820d35e44c8ef6a9551be48e9acc316241bc
 # Changed files: 8

CHANGELOG.md

@@ -35,6 +35,10 @@ New `module_attr_ref` edge type emitted across six languages for attribute reads
 
 - **`io_primitives/python.yaml#net_send`** gains `huggingface_hub.{snapshot_download, hf_hub_download}`, `huggingface_hub.HfApi.{model_info, list_repo_files, download_file}`, and `sentence_transformers.SentenceTransformer`. Surfaced by the 2026-04-23 self-audit: hypergumbo's embeddings extra demonstrably contacts HF Hub (the dogfood run printed an "unauthenticated requests to the HF Hub" warning), but io-boundaries reported zero matching `net_send` chains because the HF stack lives one layer above the `requests` / `httpx` clients the catalog already covered. Adding the wrapper-layer entries lets `verify-claims` reason about the embeddings install's network surface without having to walk into third-party code.
 
+#### IO catalog — Python stdio reclassified from ipc_send to logging (WI-tolif)
+
+- **`io_primitives/python.yaml`**: `sys.stdout` and `sys.stderr` move out of `ipc_send` into a new `logging` block. Same fix Go's `log` / `log/slog` / `fmt` already received (see `test_go_catalog_slog_logging`): writing to stdout/stderr is terminal/log output, not inter-process communication in any threat-model sense, and classifying it as `ipc_send` produced 70 false-positive chains in hypergumbo's own self-analysis (out of 77 ipc_send chains total). `sys.stdin` stays in `ipc_recv` — it can carry untrusted piped input from the parent process, which is a real IPC threat-model concern. Cross-language analogs (`c.yaml`, `javascript.yaml`, `rust.yaml`, `scala.yaml`) tracked separately.
+
 ### Changed
 
 #### Taint catalog auto-derivation (WI-lokuv)

packages/hypergumbo-core/src/hypergumbo_core/io_primitives/python.yaml

@@ -157,14 +157,21 @@ net_recv:
     notes: "aiohttp web server"
 
 ipc_send:
-  - module: sys
-    attributes: [stdout, stderr]
-    notes: "Writing to stdout/stderr sends data to the parent process or terminal"
   - module: multiprocessing.Queue
     methods: [put, put_nowait]
   - module: multiprocessing.Pipe
     methods: [send, send_bytes]
 
+logging:
+  # WI-tolif: stdio writes are terminal output / log destinations, not
+  # inter-process communication in any threat-model sense — same reason
+  # Go's log/slog/fmt sit in `logging` rather than `ipc_send`.  Keeping
+  # them under ipc_send produced 70+ false positives per repo
+  # (hypergumbo's own self-audit on 2026-04-23 surfaced this).
+  - module: sys
+    attributes: [stdout, stderr]
+    notes: "Terminal / log output; redirectable to file or pipe but not by itself an IPC channel"
+
 ipc_recv:
   - module: sys
     attributes: [stdin]

packages/hypergumbo-core/tests/test_io_boundary.py

@@ -80,6 +80,26 @@ def test_python_catalog_has_net_send(self) -> None:
         names = {p.qualified_name for p in net_sends}
         assert "socket.socket.send" in names
 
+    def test_python_catalog_stdio_is_logging_not_ipc_send(self) -> None:
+        # WI-tolif: 2026-04-23 self-audit found that 70 of hypergumbo's 77
+        # ipc_send chains were just sys.stderr writes (cli.py progress
+        # output, warnings) — the same false-positive class that drove
+        # Go's log/slog/fmt to be moved out of ipc_send into logging
+        # (see test_go_catalog_slog_logging). Same fix here for Python:
+        # stdout/stderr are terminal output, not inter-process communication.
+        catalog = load_catalog("python")
+        for attr in ("stdout", "stderr"):
+            hit = catalog.lookup_with_module(attr, "sys")
+            assert hit is not None, f"sys.{attr} should be in the Python IO catalog"
+            assert hit.boundary == "logging", (
+                f"sys.{attr} should be classified as logging, not {hit.boundary}"
+            )
+        # sys.stdin stays in ipc_recv — it can carry untrusted piped input
+        # from the parent process (a real IPC threat model, not just terminal echo).
+        hit = catalog.lookup_with_module("stdin", "sys")
+        assert hit is not None
+        assert hit.boundary == "ipc_recv"
+
     def test_python_catalog_has_huggingface_hub_net_send(self) -> None:
         # WI-jihuj: 2026-04-23 self-audit found that hypergumbo's embeddings
         # extra demonstrably hits HuggingFace Hub (the dogfood run printed