tsafe-attest
Attestation scanner for tsafe —
secret-detection + env-authority scanner.
Status
Phase 3 of the algol→tsafe migration: scanner lifted from
algol/src/scan.rs Phase 2.1, relicensed AGPL-3.0-or-later, with the
SHA-256 → BLAKE3 fingerprint swap per ec ADR-0003.
Wired behind tsafe attest scan (default-on, no --experimental-scan
flag needed).
Scanner numbers (N=100 synthetic corpus)
| Scanner | Precision | Recall | F1 |
|---|---|---|---|
| tsafe-attest (Phase 3 port) | 1.000 | 1.000 | 1.000 |
| gitleaks 8.30.1 | 1.000 | 0.729 | 0.843 |
See
ecosystem-catalog/portfolio-algol-tsafe-phase2-1-precision-recovery-2026-05-21.md
for the full Phase 2.1 verdict and confidence intervals.
Honest disclosure: the N=100 corpus is synthetic (deterministic-pseudo-random secrets from a fixed seed). Real-world false-positive / false-negative rates will differ. Report issues at the tsafe repo.
Hash family
Content fingerprints emitted on ScanFinding.hash are BLAKE3
(blake3:<64 hex chars>) per ec ADR-0003 (hash convergence). The
SHA-256 wire format used by algol Phase 2 (sha256:<hex>) is a
breaking change as of Phase 3 — see CHANGELOG.
License
AGPL-3.0-or-later (cohort default for tools that ship to crates.io).