fix(detector): catch function-attribute replay

[WazupSteve]

Summary

Targets red #18 (function-attribute flag replay). Live kernelguard==0.2.2 classified the exploit as valid because replay state is stored directly on the custom_kernel function object rather than in module globals, captured dict/object state, or a cache-named container:

def custom_kernel(data):
    if getattr(custom_kernel, "ready", False):
        return custom_kernel.out
    out = data.clone()
    custom_kernel.ready = True
    custom_kernel.out = out
    return out

The fast path ignores the input and returns a saved output, but the existing flag/counter detector only covers global declarations. This patch adds a narrow LAST_CALL_REPLAY pass for entrypoint-object attributes.

Approach

Within the configured entrypoint, collect attributes assigned on the entrypoint function object itself, for example custom_kernel.out = .... Then flag an if branch only when:

• the branch body has no real compute calls,
• the test references the entrypoint function object and no input parameter,
• the branch returns an entrypoint attribute that is assigned somewhere in the entrypoint.

This keeps callable/compiled-kernel caches and lazy buffer initialization out of scope because they either call through the cached object or do not return a saved entrypoint attribute from a call-free fast path.

KernelGuard-Red-Submission: 18

Test plan

• red18_function_attr_flag -> LAST_CALL_REPLAY, should_filter=True
• plain_kernel -> stays valid
• function_attr_callable_cache_legit -> stays valid
• function_attr_buffer_init_legit -> stays valid
• function_attr_shape_dispatch_legit -> stays valid
• python3 -m py_compile kernelguard.py

[github-actions]

KernelGuard Blue Evaluation

• Evaluation job: 26
• Blue submission: 16
• Result: passed
• Target red submission caught: True
• Validation suite: TP 20/20, FP 20/20
• Surgicalness score: 1.0
• Workflow run: https://github.com/SinatrasC/kernelguard/actions/runs/25224448952

[WazupSteve]

Withdrawing this PR because the associated Flywheel static red attempts were removed as unproven/out-of-scope for the campaign GPU-kernel work.