Backend Service Surface Detection
The surface detector has a structural blind spot for backend services. All three existing signals rely on filesystem artifacts: bin fields (Signal 1), directory conventions (Signal 2), and config files (Signal 3). Backend frameworks like Express, Fastify, Koa, Hono, and Elysia are imported as dependencies — they leave no filesystem trace beyond package.json. This causes 6-8 repos in the 85-repo validation set to have legitimate backend services invisible to the scan. A startup with a Next.js frontend + Express API backend detects the frontend but misses the backend entirely.
verdict PASSscore 16 / 16findings 5 (0 risk · 1 debt · 4 obs)duration 1h 11mrejection cycles 0shipped May 23, 2026surface cli
Pipeline timeline
Intent to proven code in 1h 11m across Think, Plan, Build, and Verify.
Think33m
Plan4m
Build5m
Verify5m
Assertion ledger
16 claims, each independently verified. Showing 8 — show all →
| ID | Says | Matcher | |
|---|---|---|---|
| A001 | A backend package matching both a config file and a server framework is detected exactly once | verified | ok |
| A002 | The server framework list contains exactly ten frameworks | verified | ok |
| A003 | Express is recognized as a server framework | verified | ok |
| A004 | Fastify is recognized as a server framework | verified | ok |
| A005 | NestJS core is recognized as a server framework | verified | ok |
| A006 | Hono is recognized as a server framework | verified | ok |
| A007 | A server framework in dev dependencies does not trigger backend detection | verified | ok |
| A008 | A backend with fewer than fifteen source files is not detected as a surface | verified | ok |
Findings 5 total
debtpackages/cli/tests/engine/detectors/surfaces.test.ts→ closed
Test file JSDoc still says 'three signals' instead of 'four signals'
obspackages/cli/src/engine/detectors/surfaces.ts→ closed
Signal 4 checks fileCount before deps — minor perf preference but Object.keys().some() runs even when fileCount is sufficient
obspackages/cli/tests/engine/detectors/surfaces.test.ts→ closed
No test for package with server dep but NO scripts at all (empty scripts array)
obspackages/cli/tests/engine/detectors/surfaces.test.ts→ closed
No test for multiple packages where one is caught by Signal 3 and another by Signal 4 in the same census
obs→ closed
Contract A013 matcher 'exists' for a code comment is not mechanically verifiable via test — requires source inspection
Integrity seal
scopesha256:74bc13e414972...
contractsha256:bf0c521621363...
plansha256:b7505f15a9eca...
specsha256:a78e226ed0cf7...
build-reportsha256:75e4ff73b780d...
build-datasha256:41945c0810de0...
verify-reportsha256:ea4d83e7995e4...
verify-datasha256:c1d055e26b8eb...
audit cmd$ ana proof audit add-backend-surface-detection → all hashes match