Fix Scanner Trust Output
The scanner produces incorrect output in two narrow, high-impact ways: it flags template URL patterns as critical secrets (false positives), and it generates unrunnable `npm vitest run` commands for monorepo projects. Both erode first-user trust — the tool's own output is untrustworthy. A user who sees a false CRITICAL finding or a broken test command in their first scan has no reason to trust anything else the tool says.
verdict PASSscore 12 / 12findings 3 (0 risk · 1 debt · 2 obs)duration 2h 12mrejection cycles 0shipped May 17, 2026surface cli
Pipeline timeline
Intent to proven code in 2h 12m across Think, Plan, Build, and Verify.
Think17m
Plan4m
Build4m
Verify3m
Assertion ledger
12 claims, each independently verified. Showing 8 — show all →
| ID | Says | Matcher | |
|---|---|---|---|
| A001 | Double-angle template passwords are not flagged as secrets | verified | ok |
| A002 | Mustache template passwords are not flagged as secrets | verified | ok |
| A003 | Dollar-brace template passwords are not flagged as secrets | verified | ok |
| A004 | Environment variable references in DB URLs are not flagged | verified | ok |
| A005 | Single-angle placeholder passwords are not flagged as secrets | verified | ok |
| A006 | Real passwords in database URLs are still caught as critical | verified | ok |
| A007 | Passwords containing angle brackets but not template syntax still fire | verified | ok |
| A008 | npm projects get npx vitest run, not npm vitest run | verified | ok |
Findings 3 total
debtpackages/cli/tests/engine/findings/secrets.test.ts→ monitor
A007 test asserts 'at least one critical' but doesn't verify BOTH passwords fire — url2 could silently pass
obspackages/cli/src/engine/findings/rules/secrets.ts→ monitor
Single-angle pattern suppresses real passwords that happen to be lowercase words in angle brackets (e.g., <admin>, <token>)
obs→ closed
Proof chain finding monorepo-build-scoping-C5 (path injection in state.ts) still present — this build doesn't touch that code path
Integrity seal
scopesha256:2940774b53952...
contractsha256:d2f86ad220310...
plansha256:21d5b12f22043...
specsha256:eccbbb0407bbc...
build-reportsha256:18c8d92c14008...
build-datasha256:8fce9649b38cb...
verify-reportsha256:ea11112629b34...
verify-datasha256:41b4843b8f822...
audit cmd$ ana proof audit fix-scanner-trust-output → all hashes match