DACIP DACIP PROOF
NIGHTLY · PUBLIC · FALSIFIABLE

Run it again.
Get the same bytes.

"Deterministic" is easy to say and easy to fake. So every night this page re-scans the 9 audited open-source repos at pinned commits — and runs every scan twice. If the two runs are not byte-for-byte identical, the row below turns red where everyone can see it.

Same pinned commit, same engine version, anyone's machine: uvx dacip investigate reproduces these numbers. No LLM reviewer can put up a page like this, because no LLM gives the same answer twice.

last run: engine: objective:
scans byte-identical on the second run, tonight
major OSS repos, pinned commits, scanned cold
backend routes extracted from source
frontend API calls matched against them
defect-grade findings asserted across all nine, each with evidence

Tonight's runs, repo by repo.

Each repo is fetched at its pinned commit and analyzed twice from a clean slate. The hash covers every artifact the run produces: findings, coverage, diagnostics, the report, the repros.

RepositoryPinned commitFilesRoutesCallsDefectsRerun checkScan time
loading data.json …

Defect counts are what the evidence gate asserts at these exact commits — three of the historical findings are linked below as receipts; fixed ones no longer derive, which is the point.

The receipts behind the zero-FP claim.

Every asserted defect from the original audit was hand-verified and disclosed upstream, under this project's name, where the maintainers could call us wrong.

Method — reproduce it yourself

# any repo below, at its pinned commit
git fetch --depth 1 origin <pinned-sha> && git checkout FETCH_HEAD
uvx dacip investigate "api contract audit"
# run it again — same store wiped, same commit
uvx dacip investigate "api contract audit"
# diff the artifacts: they are the same bytes
diff -r run1/.dacip/runs run2/.dacip/runs   # → empty

The nightly job does exactly this — tools/proofrun.py — and publishes the raw output as data.json.

What this proves — and what it doesn't

Proves: the engine is deterministic in public — same commit in, byte-identical verdict out, re-checked every night on nine production-scale codebases.
Proves: the extraction numbers are live, not marketing: routes, calls, and findings regenerate nightly from source you can check out.
Doesn't prove: zero false positives by itself — that claim rests on the hand-verified, upstream-disclosed findings above, and it stays falsifiable: dispute any asserted defect and we'll correct it in public.
Doesn't prove: completeness. Dynamic routes and unsupported frameworks are counted and labelled in every run — DACIP tells you what it can't see instead of guessing.