Fix scan display accuracy — env hygiene false positive and contributor label
The scan makes two claims the data doesn't support. First, `.gitignore covers .env` passes on a substring match — `.env.local` contains `.env`, so repos that only cover `.env.local` variants get a false "clean" checkmark. Second, the contributor count shows `activeContributors` without the "active" qualifier, making a 563-contributor repo look like it has 27 people.
verdict PASSscore 8 / 8findings 6 (2 risk · 2 debt · 2 obs)duration 35mrejection cycles 0shipped Jun 2, 2026surface cli
Pipeline timeline
Intent to proven code in 35m across Think, Plan, Build, and Verify.
Think1m
Plan7m
Build5m
Verify5m
Assertion ledger
8 claims, each independently verified.
| ID | Says | Matcher | |
|---|---|---|---|
| A001 | Repos that only gitignore .env.local are correctly flagged as not covering .env | verified | ok |
| A002 | Repos with .env in their gitignore are still correctly detected as covered | verified | ok |
| A003 | Non-git directories gracefully fall back to assuming .env is not covered | verified | ok |
| A004 | Git negation patterns that un-ignore .env are correctly detected | verified | ok |
| A005 | The contributor count shows the active qualifier | verified | ok |
| A006 | A single contributor uses singular form | verified | ok |
| A007 | A single contributor does not show plural form | verified | ok |
| A008 | Existing env hygiene finding tests still pass unchanged | verified | ok |
Findings 6 total
riskpackages/cli/tests/engine/scan-engine-secrets.test.ts→ scope
git init without -b main in both new test files — CI runners with different init.defaultBranch may fail
riskpackages/cli/tests/commands/scan.test.ts→ scope
git init without -b main in contributor display test
debtpackages/cli/tests/commands/scan.test.ts→ monitor
A005 tests singular form only — contract value 'active contributors' (plural) not directly verified because test has 1 contributor
debtpackages/cli/tests/commands/scan.test.ts→ closed
Contributor display test gates assertion behind truthy check — if Activity line disappears from output, test silently passes
obspackages/cli/src/engine/scan-engine.ts→ closed
Synchronous execSync in async function — documented as acceptable but adds subprocess overhead to every scan
+1more findings
Integrity seal
scopesha256:7fa0cc078b253...
contractsha256:8a0ea7ce883e8...
plansha256:5105e4b48f287...
specsha256:6c931de1b61cf...
build-reportsha256:0386447e65ab6...
build-datasha256:995bb05ceedae...
verify-reportsha256:3e285822b19f6...
verify-datasha256:4f3b159ebab8a...
audit cmd$ ana proof audit fix-scan-display-accuracy → all hashes match