Fix scan display accuracy — env hygiene false positive and contributor label

The scan makes two claims the data doesn't support. First, `.gitignore covers .env` passes on a substring match — `.env.local` contains `.env`, so repos that only cover `.env.local` variants get a false "clean" checkmark. Second, the contributor count shows `activeContributors` without the "active" qualifier, making a 563-contributor repo look like it has 27 people.

verdict PASSscore 8 / 8findings 6 (2 risk · 2 debt · 2 obs)duration 35mrejection cycles 0shipped Jun 2, 2026surface cli

Pipeline timeline

Intent to proven code in 35m across Think, Plan, Build, and Verify.

Think
1m
Plan
7m
Build
5m
Verify
5m

Assertion ledger

8 claims, each independently verified.

IDSaysMatcher
A001Repos that only gitignore .env.local are correctly flagged as not covering .envverifiedok
A002Repos with .env in their gitignore are still correctly detected as coveredverifiedok
A003Non-git directories gracefully fall back to assuming .env is not coveredverifiedok
A004Git negation patterns that un-ignore .env are correctly detectedverifiedok
A005The contributor count shows the active qualifierverifiedok
A006A single contributor uses singular formverifiedok
A007A single contributor does not show plural formverifiedok
A008Existing env hygiene finding tests still pass unchangedverifiedok

Findings 6 total

riskpackages/cli/tests/engine/scan-engine-secrets.test.tsscope
git init without -b main in both new test files — CI runners with different init.defaultBranch may fail
riskpackages/cli/tests/commands/scan.test.tsscope
git init without -b main in contributor display test
debtpackages/cli/tests/commands/scan.test.tsmonitor
A005 tests singular form only — contract value 'active contributors' (plural) not directly verified because test has 1 contributor
debtpackages/cli/tests/commands/scan.test.tsclosed
Contributor display test gates assertion behind truthy check — if Activity line disappears from output, test silently passes
obspackages/cli/src/engine/scan-engine.tsclosed
Synchronous execSync in async function — documented as acceptable but adds subprocess overhead to every scan
+1more findings

Integrity seal

scopesha256:7fa0cc078b253...
contractsha256:8a0ea7ce883e8...
plansha256:5105e4b48f287...
specsha256:6c931de1b61cf...
build-reportsha256:0386447e65ab6...
build-datasha256:995bb05ceedae...
verify-reportsha256:3e285822b19f6...
verify-datasha256:4f3b159ebab8a...
audit cmd$ ana proof audit fix-scan-display-accuracy   → all hashes match