Fix Python pyproject.toml parser — 3 bugs
The pyproject.toml parser silently fails to detect pytest for every Python project we've tested. Three bugs compound: (1) PEP 735 `[dependency-groups]` isn't parsed at all, (2) the TOML array regex terminates at extras brackets like `[trio]` inside package specifiers, truncating everything after, and (3) single-quoted strings are ignored. All 5 validated Python repos (fastapi, pydantic, litellm, reflex, prefect) show `testing: []` despite having pytest. The scan lies — it says "no tests" when tests exist.
verdict PASSscore 15 / 15findings 5 (0 risk · 1 debt · 4 obs)duration 22mrejection cycles 0shipped May 22, 2026surface cli
Pipeline timeline
Intent to proven code in 22m across Think, Plan, Build, and Verify.
Think5m
Plan5m
Build4m
Verify3m
Assertion ledger
15 claims, each independently verified. Showing 8 — show all →
| ID | Says | Matcher | |
|---|---|---|---|
| A001 | Dependencies listed under PEP 735 dependency-groups are detected | verified | ok |
| A002 | Multiple groups within dependency-groups are all extracted | verified | ok |
| A003 | Packages with extras brackets like anyio[trio] are fully parsed | verified | ok |
| A004 | Dependencies listed after an extras bracket are not truncated | verified | ok |
| A005 | Single-line dependency arrays continue to parse correctly | verified | ok |
| A006 | Single-quoted package names are extracted the same as double-quoted | verified | ok |
| A007 | Mixed single and double quotes in the same array both work | verified | ok |
| A008 | Fastapi-style pyproject.toml produces pytest in the dependency list | verified | ok |
Findings 5 total
debtpackages/cli/src/engine/parsers/python/pyproject.ts→ closed
Strategy numbering gap — 1, 2, 5, 3, 4 — from inserting PEP 735 before Poetry strategies
obspackages/cli/src/engine/parsers/python/pyproject.ts→ closed
TOML inline comments after closing bracket (e.g., `] # end`) would break \]\s*$ anchor
obspackages/cli/src/engine/parsers/python/pyproject.ts→ closed
Windows \r\n line endings could leave \r in captured content — $ matches before \n only
obspackages/cli/tests/engine/parsers/python.test.ts→ accept
A010 include-group test passes trivially — inline table syntax never matches extractFromArray regex
obspackages/cli/tests/engine/parsers/python.test.ts→ closed
No test for empty string or malformed TOML in dependency-groups — only empty section tested
Integrity seal
scopesha256:39afcbc50b975...
contractsha256:ab31cb0ac791f...
plansha256:e704dfa4ba7c2...
specsha256:90a5a66ff58c4...
build-reportsha256:59c1841fe68cf...
build-datasha256:7dbac61927635...
verify-reportsha256:b527e3c761c6a...
verify-datasha256:de1a3cec1cd00...
audit cmd$ ana proof audit fix-python-pyproject-parser → all hashes match