Fix non-product path over-exclusion at deep segments

PR #262 added `isNonProductPath` filtering to findings, hot files, schema detection, and deploy discovery. It works correctly for workspace package paths (1-3 segments) but over-excludes when segment names like `e2e`, `test`, `sandbox`, `templates`, `playground` appear deep inside product surfaces — because the filter checks ALL path segments, not just the package-level ones.

verdict PASSscore 21 / 21findings 4 (0 risk · 2 debt · 2 obs)duration 42mrejection cycles 0shipped Jun 2, 2026surface cli

Pipeline timeline

Intent to proven code in 42m across Think, Plan, Build, and Verify.

Think
3m
Plan
11m
Build
7m
Verify
4m

Assertion ledger

21 claims, each independently verified. Showing 8 — show all →

IDSaysMatcher
A001Deep product paths with excluded segment names are no longer over-excludedverifiedok
A002Top-level non-product directories are still excludedverifiedok
A003Non-product directories at depth 2 are still excludedverifiedok
A004Segments at exactly depth 3 are not excluded by the file-path filterverifiedok
A005The -e2e suffix check works within the depth limitverifiedok
A006The -e2e suffix check does not apply past the depth limitverifiedok
A007File-path filtering is case-insensitiveverifiedok
A008Package-path filtering still works for all segmentsverifiedok

Findings 4 total

debtpackages/cli/src/engine/detectors/surfaces.tsacknowledge
Redundant loop in isNonProductFilePath — EXCLUDED_SEGMENTS check and -e2e suffix check iterate the same range in separate loops
obspackages/cli/src/engine/detectors/surfaces.tsclosed
NON_PRODUCT_GLOB_IGNORE **/build/** collision with legitimate build directories persists — out of scope for this fix, tracked as fix-non-product-code-pollution-C5
debtpackages/cli/tests/engine/detectors/surfaces.test.tsmonitor
@ana tag namespace collision — surfaces.test.ts carries A001-A027 tags from 3+ prior contracts, making per-contract tag lookup ambiguous
obspackages/cli/src/engine/detectors/surfaces.tsclosed
isNonProductFilePath suffix loop comment doesn't explain why it can't use last-segment pattern (last segment is filename for file paths, not directory)

Integrity seal

scopesha256:05e34161dfbf2...
contractsha256:a8f577dd85612...
plansha256:52e716e494a85...
specsha256:1a9a847172666...
build-reportsha256:4758a438d6f57...
build-datasha256:7b7fe5f4f09e1...
verify-reportsha256:5f12e086abe22...
verify-datasha256:ad9d591c1e116...
audit cmd$ ana proof audit fix-non-product-over-exclusion   → all hashes match