phy-concurrency-audit Static scanner for race conditions (CWE-362) and TOCTOU vulnerabilities (CWE-367) in Go, Java, Python, and Node.js/TypeScript codebases. Finds shared-state mutations without synchronization, unsafe concurrency patterns, and check-then-act anti-patterns. Zero external API calls, zero dependencies beyond Python 3 stdlib. Why Concurrency Bugs Are Special - Non-deterministic : reproduce only under load, on multi-core machines, or on specific OS schedulers - Silent corruption : data races don't crash immediately — they corrupt state silently for hours - Security impact : TOCT…