Each repo is fetched at its pinned commit and analyzed twice from a clean slate. The hash covers every artifact the run produces: findings, coverage, diagnostics, the report, the repros.
| Repository | Pinned commit | Files | Routes | Calls | Defects | Rerun check | Scan time |
|---|---|---|---|---|---|---|---|
| loading data.json … | |||||||
Defect counts are what the evidence gate asserts at these exact commits — three of the historical findings are linked below as receipts; fixed ones no longer derive, which is the point.
Every asserted defect from the original audit was hand-verified and disclosed upstream, under this project's name, where the maintainers could call us wrong.
The nightly job does exactly this — tools/proofrun.py — and publishes the raw output as data.json.