nyx/tests/recall_gaps_baseline.json

{
  "_doc": "Frozen recall-gap baseline. Phases 02-11 prove non-regression by re-running the corpus scan and verifying corpus_findings_total does not drop and rule_id_full counts do not regress per-rule. Hard rule: pitboss agents may not write under .pitboss/, so the baseline lives here in tests/ next to the harness it documents.",
  "captured_on": "2026-05-08",
  "captured_against": "master @ ea82ea98 (post phase 03/05/06/07 land)",
  "recall_gaps_tests": {
    "binary": "recall_gaps",
    "ignored_count": 3,
    "ignored": [
      "cross_package_ipa",
      "nextjs_entrypoints",
      "ssrf_url_builders"
    ],
    "non_ignored": [
      "async_await",
      "baseline_loads",
      "for_await_of_stream",
      "fs_promises_alias_form",
      "fs_promises_alias_require_form",
      "fs_promises_namespace_import",
      "fs_promises_node_import",
      "fs_promises_open",
      "fs_promises_readfile",
      "fs_promises_require_form",
      "fs_promises_safe_userfn",
      "jsx_dangerous_html",
      "orm_builders",
      "promise_all_taint",
      "promise_then_callback",
      "promise_then_chain_reentrant"
    ]
  },
  "corpus_finding_lines": {
    "scan_root": "tests/fixtures",
    "command": "nyx scan tests/fixtures --index off --format console",
    "output_lines": 6466,
    "json_command": "nyx scan tests/fixtures --index off --format json",
    "findings_total": 1121,
    "findings_by_severity": {
      "Low": 20,
      "Medium": 1101
    },
    "rule_id_distinct": 81,
    "rule_id_top": {
      "taint-unsanitised-flow": 542,
      "state-unauthed-access": 41,
      "py.cmdi.subprocess_shell": 35,
      "js.code_exec.eval": 30,
      "taint-data-exfiltration": 29,
      "js.auth.missing_ownership_check": 26,
      "go.cmdi.exec_command": 20,
      "taint-open-redirect": 19,
      "cfg-unguarded-sink": 18,
      "state-use-after-close": 17,
      "java.cmdi.runtime_exec": 17,
      "taint-prototype-pollution": 16,
      "taint-template-injection": 15,
      "py.auth.missing_ownership_check": 15,
      "rb.cmdi.system_interp": 14
    },
    "rule_id_full": {
      "c.cmdi.system": 10,
      "c.memory.gets": 3,
      "c.memory.printf_no_fmt": 2,
      "c.memory.scanf_percent_s": 3,
      "c.memory.sprintf": 12,
      "c.memory.strcat": 3,
      "c.memory.strcpy": 6,
      "cfg-auth-gap": 2,
      "cfg-unguarded-sink": 18,
      "cpp.cmdi.popen": 1,
      "cpp.cmdi.system": 8,
      "cpp.memory.gets": 2,
      "cpp.memory.printf_no_fmt": 3,
      "cpp.memory.sprintf": 2,
      "cpp.memory.strcat": 1,
      "cpp.memory.strcpy": 2,
      "go.auth.admin_route_missing_admin_check": 3,
      "go.auth.missing_ownership_check": 8,
      "go.auth.partial_batch_authorization": 2,
      "go.auth.token_override_without_validation": 1,
      "go.cmdi.exec_command": 20,
      "go.transport.insecure_skip_verify": 1,
      "java.auth.admin_route_missing_admin_check": 2,
      "java.auth.missing_ownership_check": 3,
      "java.cmdi.runtime_exec": 17,
      "java.code_exec.text4shell_interpolator": 1,
      "java.deser.readobject": 5,
      "java.deser.snakeyaml_unsafe_constructor": 1,
      "js.auth.admin_route_missing_admin_check": 9,
      "js.auth.missing_ownership_check": 26,
      "js.auth.partial_batch_authorization": 3,
      "js.auth.token_override_without_validation": 6,
      "js.code_exec.eval": 30,
      "js.code_exec.new_function": 1,
      "js.config.cors_dynamic_origin": 1,
      "js.xss.ejs_unescaped": 2,
      "php.cmdi.system": 10,
      "php.code_exec.eval": 6,
      "php.code_exec.preg_replace_e": 1,
      "php.deser.unserialize": 2,
      "py.auth.admin_route_missing_admin_check": 4,
      "py.auth.missing_ownership_check": 15,
      "py.auth.partial_batch_authorization": 2,
      "py.auth.token_override_without_validation": 6,
      "py.cmdi.os_popen": 2,
      "py.cmdi.os_system": 13,
      "py.cmdi.subprocess_shell": 35,
      "py.code_exec.eval": 6,
      "py.code_exec.exec": 3,
      "py.deser.pickle_loads": 3,
      "py.deser.yaml_load": 3,
      "rb.auth.admin_route_missing_admin_check": 5,
      "rb.auth.missing_ownership_check": 14,
      "rb.auth.partial_batch_authorization": 2,
      "rb.auth.token_override_without_validation": 3,
      "rb.cmdi.backtick": 2,
      "rb.cmdi.system_interp": 14,
      "rb.code_exec.class_eval": 1,
      "rb.code_exec.eval": 3,
      "rb.code_exec.instance_eval": 1,
      "rb.deser.marshal_load": 2,
      "rb.deser.yaml_load": 2,
      "rs.auth.admin_route_missing_admin_check": 3,
      "rs.auth.missing_ownership_check": 9,
      "rs.auth.partial_batch_authorization": 2,
      "rs.auth.token_override_without_validation": 2,
      "rs.memory.copy_nonoverlapping": 1,
      "rs.memory.mem_zeroed": 1,
      "rs.memory.ptr_read": 1,
      "rs.memory.transmute": 2,
      "state-unauthed-access": 41,
      "state-use-after-close": 17,
      "taint-data-exfiltration": 29,
      "taint-header-injection": 13,
      "taint-ldap-injection": 9,
      "taint-open-redirect": 19,
      "taint-prototype-pollution": 16,
      "taint-template-injection": 15,
      "taint-unsanitised-flow": 542,
      "taint-xpath-injection": 8,
      "taint-xxe": 11
    }
  }
}