Commit hygiene checks at build-report save
Build agents make normal `git commit` calls during the build phase — code changes, test additions, dependency updates. These commits go through whatever hooks the project has (or doesn't have). But `ana artifact save build-report` commits with `--no-verify`, bypassing all hooks. Between these two commit types, there's no mechanical check that inspects the full branch diff for pipeline-specific footguns.
verdict PASSscore 24 / 24findings 8 (0 risk · 5 debt · 3 obs)duration 3h 8mrejection cycles 0shipped May 14, 2026surface cli
Pipeline timeline
Intent to proven code in 3h 8m across Think, Plan, Build, and Verify.
Think3m
Plan13m
Build11m
Verify5m
Assertion ledger
24 claims, each independently verified. Showing 8 — show all →
| ID | Says | Matcher | |
|---|---|---|---|
| A001 | Hygiene checks run when saving a build report | verified | ok |
| A002 | Hygiene checks do not run for non-build-report saves | verified | ok |
| A024 | Batch save via saveAllArtifacts also triggers hygiene checks | verified | ok |
| A003 | No additional git diff calls are made during hygiene checks | verified | ok |
| A004 | A lockfile changed without its manifest is flagged | verified | ok |
| A005 | A lockfile changed alongside its manifest is not flagged | verified | ok |
| A006 | Any package.json in a monorepo satisfies the lockfile requirement | verified | ok |
| A007 | A committed file containing an API key is flagged | verified | ok |
Findings 8 total
debtpackages/cli/tests/commands/commit-hygiene.test.ts→ closed
A002 test is tautological — verifies key absence without calling the function, not the gating conditional
debtpackages/cli/tests/commands/commit-hygiene.test.ts→ closed
A017 uses toHaveProperty (existence) instead of asserting specific values — passes on any object shape
debtpackages/cli/tests/commands/commit-hygiene.test.ts→ closed
A019 is type-level only — verifies ProofChainEntry accepts commit_hygiene, not that writeProofChain actually reads and writes it
obspackages/cli/tests/commands/commit-hygiene.test.ts→ closed
A024 tests the same function call as A001 — doesn't exercise saveAllArtifacts code path, just calls runCommitHygieneChecks directly
debtpackages/cli/src/commands/artifact.ts→ closed
CommitHygieneFinding and runCommitHygieneChecks exported for test access — widens module public API
+3more findings
Integrity seal
scopesha256:8af66616dbe92...
contractsha256:2fe3f598a118f...
plansha256:8067f85341170...
specsha256:523d8c57222ba...
build-reportsha256:ae42d4b204132...
build-datasha256:ac419b3e4fad3...
verify-reportsha256:dc8be825f82b5...
verify-datasha256:67b3edd03b918...
audit cmd$ ana proof audit commit-hygiene-checks → all hashes match