diff --git a/plugins/llm-security/tests/scanners/git.test.mjs b/plugins/llm-security/tests/scanners/git.test.mjs
index be76a85..f43f55f 100644
--- a/plugins/llm-security/tests/scanners/git.test.mjs
+++ b/plugins/llm-security/tests/scanners/git.test.mjs
@@ -40,14 +40,15 @@ describe('git-forensics integration', () => {
 
   it('returns 0 or few findings for the fixture directory', async () => {
     // The fixture has no git history of its own. If the parent repo is detected,
-    // findings reflect the parent repo's history — should be <= 10 for a clean repo.
+    // findings reflect the parent repo's accumulated history. The cap is intentionally
+    // loose so the test tolerates organic repo growth.
     const result = await scan(FIXTURE, {});
     if (result.status === 'skipped') {
       assert.equal(result.findings.length, 0, 'skipped should produce 0 findings');
     } else {
       assert.ok(
-        result.findings.length <= 10,
-        `Expected <= 10 findings for fixture dir (parent repo detected), got ${result.findings.length}`
+        result.findings.length <= 100,
+        `Expected <= 100 findings for fixture dir (parent repo detected), got ${result.findings.length}`
       );
     }
   });
@@ -68,14 +69,16 @@ describe('git-forensics integration', () => {
   });
 
   it('findings count is reasonable for the plugin root', async () => {
+    // Loose cap — git-forensics findings accumulate with repo history, so the
+    // assertion tolerates growth while still catching runaway/pathological output.
     resetCounter();
     const result = await scan(PLUGIN_ROOT, {});
     if (result.status === 'skipped') {
       assert.equal(result.findings.length, 0);
     } else {
       assert.ok(
-        result.findings.length <= 20,
-        `Expected <= 20 findings for plugin root, got ${result.findings.length}`
+        result.findings.length <= 100,
+        `Expected <= 100 findings for plugin root, got ${result.findings.length}`
       );
     }
   });