Guard the anatrace-core load and emit the first real attestation records
Anatomia's headline differentiator — behavioral attestation — has never produced a record. Two defects, one work item:
verdict PASSscore 12 / 12findings 6 (1 risk · 2 debt · 3 obs)duration 1h 40mrejection cycles 0shipped Jun 17, 2026surface cli
Pipeline timeline
Intent to proven code in 1h 40m across Think, Plan, Build, and Verify.
Think15m
Plan37m
Build13m
Verify7m
Assertion ledger
12 claims, each independently verified. Showing 8 — show all →
| ID | Says | Matcher | |
|---|---|---|---|
| A001 | When the attestation engine can't be loaded, saving abstains instead of crashing | verified | ok |
| A002 | A missing attestation engine never throws out of the save path | verified | ok |
| A003 | A missing attestation engine surfaces a loud, visible warning instead of failing silently | verified | ok |
| A004 | Routine skips like no role or no session stay quiet — the missing-engine warning is not a false alarm | verified | ok |
| A005 | An empty engine version makes attestation abstain rather than stamp a bogus record | verified | ok |
| A006 | When the engine version is empty, no attestation file is written to disk | verified | ok |
| A007 | The recorded engine version matches the engine package actually installed | verified | ok |
| A008 | A real attestation always stamps a non-empty engine version | verified | ok |
Findings 6 total
obspackages/cli/src/utils/compliance.ts→ acknowledge
loadCore deviates from spec's prescribed bare-require idiom — resolves package.json, reads exports['.'].import, and require()s the ESM entry by absolute path. Necessary (anatrace-core is import-only ESM; bare require throws ERR_PACKAGE_PATH_NOT_EXPORTED) and well-commented; proven working by the emitted build record.
riskpackages/cli/src/utils/compliance.ts→ monitor
Node version portability: loadCore uses require() on an ESM .mjs entry. Unflagged require(ESM) landed in Node 22.12.0; README states 'Node 22+'. On Node 22.0-22.11 an installed engine would throw ERR_REQUIRE_ESM, get caught, and falsely surface the loud 'anatrace-core not resolvable' line. Works on current toolchain (Node 25 here).
obspackages/cli/src/utils/compliance.ts→ monitor
Spec's documented edge 'core present but package.json unreadable -> loadCore succeeds, version guard abstains silently' is no longer true. loadCore now reads package.json to find the ESM entry, so an unreadable package.json yields a LOUD abstain, not a silent version abstain. The version guard's production reachability narrows to a present-but-missing/non-string version field (plus the test injection seam). Arguably more correct, but deviates from documented semantics.
debtpackages/cli/tests/commands/_capture.test.ts→ scope
Tag drift: this contract's A009 (package.json anatrace-core dependency == '0.4.0') has no matching @ana A009 tag. The pin test that actually enforces it (tests/commands/_capture.test.ts:220) carries stale IDs '@ana A001, A045, A046' from a prior cycle's contract. A009 verified by source inspection (pin literal '0.4.0', store resolves anatrace-core@0.4.0), but the tag linkage is broken.
debtpackages/cli/tests/utils/compliance.test.ts→ monitor
Quiet-direction test (A004) covers only the no-role benign path; spec named 'no role OR no session'. loadCore: () => null is injected but never invoked because the role guard short-circuits first — so the test cannot distinguish a correctly-quiet benign path from a broken loud guard. It correctly pins the ordering intent, but is single-path.
+1more findings
Provenance
Who ran what, and what it cost. Recomputable estimates from the shared price table — subordinate to the verdict, never gating.
model claude-opus-4-8
| session | turns | tools | in | out | cache | cost |
|---|---|---|---|---|---|---|
| ana | 36 | 16 | 7.0k | 16.2k | 655.0k | $1.02 |
| plan | 43 | 18 | 7.1k | 42.2k | 1.1M | $2.16 |
| build | 117 | 48 | 8.0k | 42.4k | 3.9M | $3.62 |
| verify | 56 | 26 | 7.3k | 25.2k | 1.2M | $1.74 |
| TOTAL 4 sessions | $8.54 (table 2026-06-14) | |||||
churn 2 files · +159/−30
completeness ✓ complete (plan 1/1 · build 1/1 · verify 1/1)
Session attestation
How each agent session behaved, coverage-aware. Evidence, not a gate — unverifiable is honest abstention, not a failure.
core v0.4.0 · framework anatomia
build · 16 claims
1 satisfied · 0 violated · 15 unverifiable
coverage 1/16 checked · 15 unverifiable
⚠ ana-build:verify-independence unverifiable (channel-coverage-incomplete)
⚠ contract:file-scope:packages/cli/src/utils/compliance.ts unverifiable (channel-coverage-incomplete)
⚠ contract:file-scope:packages/cli/tests/utils/compliance.test.ts unverifiable (channel-coverage-incomplete)
mandate sha256:9fcdae1bfc… · transcript sha256:aca3bfa77f…
⚠ incomplete coverage
verify · 19 claims
2 satisfied · 0 violated · 17 unverifiable
coverage 2/19 checked · 17 unverifiable
⚠ ana-verify:verify-independence unverifiable (channel-coverage-incomplete)
⚠ ana-verify:no-code-branch-mutation:git-rebase unverifiable (command-unresolvable)
⚠ ana-verify:no-code-branch-mutation:git-push---force unverifiable (command-unresolvable)
mandate sha256:ca783e405b… · transcript sha256:f855cb44a6…
⚠ incomplete coverage
verdict veto: not applied — verify did not read build_report.md
veto is forward-only; pre-veto verdicts were self-reported.
Integrity seal
scopesha256:749084c7c0326...
contractsha256:8062d586124a7...
plansha256:a1025e1902b48...
specsha256:28770701e57c4...
build-reportsha256:abea33d1d6098...
build-datasha256:d1fa562b5e6df...
verify-reportsha256:bcca8bdff4efe...
verify-datasha256:40fc82748da68...
audit cmd$ ana proof audit attestation-emit-and-guard → all hashes match