Guard the anatrace-core load and emit the first real attestation records

Anatomia's headline differentiator — behavioral attestation — has never produced a record. Two defects, one work item:

verdict PASSscore 12 / 12findings 6 (1 risk · 2 debt · 3 obs)duration 1h 40mrejection cycles 0shipped Jun 17, 2026surface cli

Pipeline timeline

Intent to proven code in 1h 40m across Think, Plan, Build, and Verify.

Think
15m
Plan
37m
Build
13m
Verify
7m

Assertion ledger

12 claims, each independently verified. Showing 8 — show all →

IDSaysMatcher
A001When the attestation engine can't be loaded, saving abstains instead of crashingverifiedok
A002A missing attestation engine never throws out of the save pathverifiedok
A003A missing attestation engine surfaces a loud, visible warning instead of failing silentlyverifiedok
A004Routine skips like no role or no session stay quiet — the missing-engine warning is not a false alarmverifiedok
A005An empty engine version makes attestation abstain rather than stamp a bogus recordverifiedok
A006When the engine version is empty, no attestation file is written to diskverifiedok
A007The recorded engine version matches the engine package actually installedverifiedok
A008A real attestation always stamps a non-empty engine versionverifiedok

Findings 6 total

obspackages/cli/src/utils/compliance.tsacknowledge
loadCore deviates from spec's prescribed bare-require idiom — resolves package.json, reads exports['.'].import, and require()s the ESM entry by absolute path. Necessary (anatrace-core is import-only ESM; bare require throws ERR_PACKAGE_PATH_NOT_EXPORTED) and well-commented; proven working by the emitted build record.
riskpackages/cli/src/utils/compliance.tsmonitor
Node version portability: loadCore uses require() on an ESM .mjs entry. Unflagged require(ESM) landed in Node 22.12.0; README states 'Node 22+'. On Node 22.0-22.11 an installed engine would throw ERR_REQUIRE_ESM, get caught, and falsely surface the loud 'anatrace-core not resolvable' line. Works on current toolchain (Node 25 here).
obspackages/cli/src/utils/compliance.tsmonitor
Spec's documented edge 'core present but package.json unreadable -> loadCore succeeds, version guard abstains silently' is no longer true. loadCore now reads package.json to find the ESM entry, so an unreadable package.json yields a LOUD abstain, not a silent version abstain. The version guard's production reachability narrows to a present-but-missing/non-string version field (plus the test injection seam). Arguably more correct, but deviates from documented semantics.
debtpackages/cli/tests/commands/_capture.test.tsscope
Tag drift: this contract's A009 (package.json anatrace-core dependency == '0.4.0') has no matching @ana A009 tag. The pin test that actually enforces it (tests/commands/_capture.test.ts:220) carries stale IDs '@ana A001, A045, A046' from a prior cycle's contract. A009 verified by source inspection (pin literal '0.4.0', store resolves anatrace-core@0.4.0), but the tag linkage is broken.
debtpackages/cli/tests/utils/compliance.test.tsmonitor
Quiet-direction test (A004) covers only the no-role benign path; spec named 'no role OR no session'. loadCore: () => null is injected but never invoked because the role guard short-circuits first — so the test cannot distinguish a correctly-quiet benign path from a broken loud guard. It correctly pins the ordering intent, but is single-path.
+1more findings

Provenance

Who ran what, and what it cost. Recomputable estimates from the shared price table — subordinate to the verdict, never gating.

model claude-opus-4-8
sessionturnstoolsinoutcachecost
ana36167.0k16.2k655.0k$1.02
plan43187.1k42.2k1.1M$2.16
build117488.0k42.4k3.9M$3.62
verify56267.3k25.2k1.2M$1.74
TOTAL 4 sessions$8.54 (table 2026-06-14)
churn 2 files · +159/−30
completeness ✓ complete (plan 1/1 · build 1/1 · verify 1/1)

Session attestation

How each agent session behaved, coverage-aware. Evidence, not a gate — unverifiable is honest abstention, not a failure.

core v0.4.0 · framework anatomia
build · 16 claims
1 satisfied · 0 violated · 15 unverifiable
coverage 1/16 checked · 15 unverifiable
ana-build:verify-independence unverifiable (channel-coverage-incomplete)
contract:file-scope:packages/cli/src/utils/compliance.ts unverifiable (channel-coverage-incomplete)
contract:file-scope:packages/cli/tests/utils/compliance.test.ts unverifiable (channel-coverage-incomplete)
mandate sha256:9fcdae1bfc… · transcript sha256:aca3bfa77f…
⚠ incomplete coverage
verify · 19 claims
2 satisfied · 0 violated · 17 unverifiable
coverage 2/19 checked · 17 unverifiable
ana-verify:verify-independence unverifiable (channel-coverage-incomplete)
ana-verify:no-code-branch-mutation:git-rebase unverifiable (command-unresolvable)
ana-verify:no-code-branch-mutation:git-push---force unverifiable (command-unresolvable)
mandate sha256:ca783e405b… · transcript sha256:f855cb44a6…
⚠ incomplete coverage
verdict veto: not applied — verify did not read build_report.md
veto is forward-only; pre-veto verdicts were self-reported.

Integrity seal

scopesha256:749084c7c0326...
contractsha256:8062d586124a7...
plansha256:a1025e1902b48...
specsha256:28770701e57c4...
build-reportsha256:abea33d1d6098...
build-datasha256:d1fa562b5e6df...
verify-reportsha256:bcca8bdff4efe...
verify-datasha256:40fc82748da68...
audit cmd$ ana proof audit attestation-emit-and-guard   → all hashes match