Fix False Positive Secret Detection

The secret scanner's weak signing secret regex produces false critical findings from enum values, JSDoc examples, dev default constants, form field type declarations, and mock methods. Across 48 repos tested, this regex has zero true positives and 23+ false positives. Those false findings propagate into AGENTS.md as duplicated constraint lines and into project-context.md as inflated issue counts. The PostHog `phc_` pattern also flags intentionally-public analytics keys as warnings.

verdict PASSscore 12 / 12findings 5 (0 risk · 1 debt · 4 obs)duration 1h 23mrejection cycles 0shipped May 26, 2026surface cli

Pipeline timeline

Intent to proven code in 1h 23m across Think, Plan, Build, and Verify.

Think
11m
Plan
6m
Build
54m
Verify
22m

Assertion ledger

12 claims, each independently verified. Showing 8 — show all →

IDSaysMatcher
A001The weak signing secret regex no longer exists in the scannerverifiedok
A002PostHog public analytics keys are no longer flaggedverifiedok
A003AWS documented example key is not flagged as a secretverifiedok
A004Real AWS keys are still detectedverifiedok
A005Database URLs with bracket template passwords are not flaggedverifiedok
A006Database URLs with short placeholder passwords are not flaggedverifiedok
A007Database URLs with real credentials are still detectedverifiedok
A008Enum values like SECRET = secret no longer trigger false findingsverifiedok

Findings 5 total

debtpackages/cli/tests/commands/commit-hygiene.test.tsclosed
Vacuously true test — __tests__ exclusion still uses removed phc_ pattern
obspackages/cli/src/engine/findings/rules/secrets.tsmonitor
Trailing bracket regex broader than [password] intent — matches any lowercase word ending in ]
obspackages/cli/tests/engine/findings/secrets.test.tsclosed
Dedup assertions test extracted logic, not actual generateAgentsMd code path
obspackages/cli/tests/engine/findings/secrets.test.tsclosed
@ana tag namespace collision — A001-A007 duplicated from fix-scanner-trust-output cycle
obspackages/cli/tests/engine/findings/secrets.test.tsclosed
fix-scanner-trust-output-C1 still present — A007 old test asserts 'at least one critical' without verifying both URLs fire

Integrity seal

scopesha256:d9f42b5ecbb57...
contractsha256:b29c1d9ddb1bf...
plansha256:6fb8cabdbcd6a...
specsha256:42f3f0251c7e0...
build-reportsha256:9e2c48e42ab22...
build-datasha256:f788192b77131...
verify-reportsha256:ab5ec0bfa7f5c...
verify-datasha256:a9ddedb148876...
audit cmd$ ana proof audit fix-false-positive-secrets   → all hashes match