zerocopy

Audit of zerocopy 0.8.50, Google's Rust library for safe byte/typed-value transmutation. Matches upstream Git byte-for-byte. Capability surface outside unsafe is small: a build.rs reads Cargo.toml and runs rustc --version; no network, no runtime FS/exec/env, no crypto. ~1249 unsafe occurrences governed by a documented soundness policy, lint-enforced safety comments, and Kani proofs. Four low-severity findings: test-only unsoundness, documentation gap, scope statement, build-script note.

Google-maintained foundational crate for safe transmutation between byte sequences and typed values. Pervasive unsafe is policy-comment-enforced (clippy::undocumented_unsafe_blocks) and tested under Miri (strict provenance + tree borrows), Kani formal proofs, and randomized layout in CI. One low-severity quality finding: 21 unsafe blocks marked FIXME(#429) are missing the per-block safety comment, tracked upstream.