Problem
In a Laravel/PHP repo, desloppify can report security: clean during scan, record the security findings as resolved in .desloppify/progression.jsonl, and then immediately resurrect the same security findings in desloppify show security / desloppify status.
This makes the dashboard warn about unresolved security issues even though the detector phase is clean and the code has already been fixed.
Repro
Repo state after removing the flagged log lines:
app/Http/Controllers/Webhooks/GitHubWebhookController.php:30 is now just $event = $request->header('X-GitHub-Event');app/Services/AlertChannels/TelegramAlertChannelDriver.php:35-37 now just returns false when config is missing
Commands:
desloppify show security
desloppify plan resolve 'security::app/Http/Controllers/Webhooks/GitHubWebhookController.php::security::log_sensitive::app/Http/Controllers/Webhooks/GitHubWebhookController.php::30' --force-resolve --note 'Removed webhook secret-adjacent logging so the missing-secret path no longer emits potentially sensitive operational details.' --attest 'I have actually removed the webhook secret-adjacent log path in GitHubWebhookController and I am not gaming the score by resolving without fixing.'
desloppify plan resolve 'security::app/Services/AlertChannels/TelegramAlertChannelDriver.php::security::log_sensitive::app/Services/AlertChannels/TelegramAlertChannelDriver.php::37' --note 'Removed Telegram credential warning logs so missing-token and send-failure paths no longer emit secret-adjacent diagnostic context.' --attest 'I have actually removed the Telegram credential-adjacent warning logs in TelegramAlertChannelDriver and I am not gaming the score by resolving without fixing.'
desloppify scan --path . --skip-slow
desloppify show security
desloppify status
Observed:
- scan phase prints
security: clean (174 files scanned)
.desloppify/progression.jsonl scan_complete payload contains the relevant resolved_idsdesloppify show security still brings back the same two security findingsdesloppify status footer warns ⚠ 2 security issues
The latest scan_complete entry also showed security detector failing count as 0 in prev_dimension_scores.Security.detectors.security.failing, while state still surfaced the old findings.
Expected
If the detector reports clean and the findings are listed as resolved in progression, show security / status should not resurrect the same stale findings from state.
Notes
I also saw a related queue/state desync where desloppify next got stuck on workflow::run-scan even after resolving it, then later cleared itself. This may be part of the same state synchronization bug.
Problem
In a Laravel/PHP repo,
desloppifycan reportsecurity: cleanduring scan, record the security findings as resolved in.desloppify/progression.jsonl, and then immediately resurrect the same security findings indesloppify show security/desloppify status.This makes the dashboard warn about unresolved security issues even though the detector phase is clean and the code has already been fixed.
Repro
Repo state after removing the flagged log lines:
app/Http/Controllers/Webhooks/GitHubWebhookController.php:30is now just$event = $request->header('X-GitHub-Event');app/Services/AlertChannels/TelegramAlertChannelDriver.php:35-37now just returnsfalsewhen config is missingCommands:
Observed:
security: clean (174 files scanned).desloppify/progression.jsonlscan_completepayload contains the relevantresolved_idsdesloppify show securitystill brings back the same two security findingsdesloppify statusfooter warns⚠ 2 security issuesThe latest
scan_completeentry also showed security detector failing count as0inprev_dimension_scores.Security.detectors.security.failing, while state still surfaced the old findings.Expected
If the detector reports clean and the findings are listed as resolved in progression,
show security/statusshould not resurrect the same stale findings from state.Notes
I also saw a related queue/state desync where
desloppify nextgot stuck onworkflow::run-scaneven after resolving it, then later cleared itself. This may be part of the same state synchronization bug.