You called it before I had the number, and the number makes your point for you!
Positive controls, run for real: isolate each secure guard, push the paired attack through it, require it to fire. Every fire is gated so the rate can't be precision in disguise: a benign input must not fire, and a kill mutation (swap the guard for a pass-through) must make the fire vanish, which also proves the harness routes through the guard instead of hardcoding a verdict. I self-tested the runner on four known-good/known-bad cases and ran a blind check: a generator built a harness for the entropy scanner without being told it was broken, and the runner returned no-fire. Measuring the
oracle was the move I skipped, and you were right that it is the load-bearing one.
And it earned its keep immediately. One bulk pass I ran (a different model, generating harnesses at scale) reused six canned attack strings across every example; it "found" 106 no-fires. The mutation score gave it away: a 39% harness false-negative rate and a 15% fire rate where careful harnesses hit 100%. Those 106 were the oracle misfiring, not defects. I threw the batch out and regenerated it properly. So: the same disease you flagged, caught by the same medicine, on my own tooling.
Measured recall, a census of the executable subset rather than a sample: AI/ML 442 of 442 (100%, 95% CI 99.1-100%), web 77 of 77 (100%, CI 95.3-100%). Every executable secure guard in both configs, 519 in all, fired on its paired attack. Zero no-fires, zero new defects.
Now for the slice, which is the real story, imho. That rate is the number for guard-shaped examples, not the corpus. AI/ML is mostly guard-shaped, about 66% runnable, so the 100% means something. Web is not: positive-control-runnable is 79 of 1,249, roughly 6%. Not because web fixes are worse, but because most are a different object. 56% have no isolable callable at all: the fix is a Spring or Flask annotation, a security-header middleware, a TLS setting, a dependency pin, or secrets moved to env variables. 14% is a language I don't run, 12% is JavaScript I haven't wrapped. There's no input to feed.
So...I'm publishing two numbers, not one, plus a caveat: measured recall on the executable subset, and the remainder as unmeasured-by-positive-control. One tweak to the framing, though. The remainder isn't unpushed-on. It got the same adversarial review, which is how the dead-code defects got caught; it just lacks a mechanized recall estimate. So it keeps the human-reviewed status rather than inheriting a rate your own argument says is probably worse.
The limit I didn't expect: even on the executable subset, positive controls catch one class. I re-ran our three removed defects as known positives. The check caught one: the entropy scanner, broken guard logic. It missed two: correct guards that were dead code or never saw the data they were meant to scrub. Isolation cannot see reachability. One of three. The fire rate is broken-guard-logic recall, complementary to the review that caught the rest, not a replacement.
Where the fix is a guard, it holds up. Where it is config, positive controls are the wrong instrument, and I would rather say so than score it anyway. Thank you, and I mean that sincerely. This thread made the dataset more honest than the audit did.