Common false positives / benign QA smoke

Old smoke gets a label.

Cosmo should not waste a dev's night chasing the same already-explained warning. This page names the boring stuff we can usually disregard, and the exact moment it becomes real again.

The rule: known and scoped gets downgraded. Fresh package logs, VM evidence, launch failures, and source/package drift still get treated like actual work.

Disregard When Scoped

These are not blanket ignores. They are tiny fences around known noise.

benign historical Old WebView2 show-front markers

Ignore old `CoreWebView2Controller`, `InvalidCastException`, or `native main show failed` hits only when they come from the long-lived source log dated on or before 2026-06-20.

Allowed old scope: the long-lived source watcher log under cosmo_app/_cosmo_data, dated on or before 2026-06-20.
  • Do not ignore fresh Lite package logs.
  • Do not ignore VM clean-install evidence.
  • Do not ignore a visible blank-window or launch regression.
expected prelaunch Download held redirect

Before the release gate opens, `/download` redirecting to `/#download-held` with HTTP 302 is correct. That is the trust model, not a broken button.

Expected: /download -> /#download-held (302)
  • Escalate if it points to a real installer early.
  • Escalate if it points to a placeholder or stale URL.
claim lint Negated claim hits

When docs say "do not claim broad Windows proof" or "no cloud training by default," the scanner may flag the phrase without understanding the negation.

  • Downgrade only when the negation is clear.
  • Escalate when the same claim appears as public hype.
search noise Dependency comments

`node_modules` files can mention false-positive rates or terminal color false positives. That is dependency text, not a Cosmo release finding.

  • Exclude from Cosmo brand and bug sweeps.
  • Include only during explicit dependency audits.

Still Real

This is the line we do not train ourselves to walk past.

Source hash drift is not benign. If current source differs from the packaged, staged, or installer source hash, that is a real provenance gap. It can be demo-safe. It is not release-proof-current until rebuild, restage, compile, and VM proof close the loop.