Fix Risk Findings
The proof chain has 6 risk-severity findings — the highest severity category. Three are fixable with minimal changes and zero blast radius. Fixing them clears the risk backlog and moves the health trend from "worsening" toward "improving."
verdict PASSscore 12 / 12findings 5 (0 risk · 2 debt · 3 obs)duration 19h 2mrejection cycles 0shipped May 25, 2026
Pipeline timeline
Intent to proven code in 19h 2m across Think, Plan, Build, and Verify.
Think10m
Plan61m
Build5m
Verify4m
Assertion ledger
12 claims, each independently verified. Showing 8 — show all →
| ID | Says | Matcher | |
|---|---|---|---|
| A001 | Surface commands escape single quotes in directory paths | verified | ok |
| A002 | Every generated command type uses the escaped path | verified | ok |
| A003 | Paths without single quotes produce unchanged command strings | verified | ok |
| A004 | Escaped path only affects the cd target, not the rest of the command | verified | ok |
| A005 | Backfill guard uses explicit null check instead of falsy coercion | verified | ok |
| A006 | Backfill guard no longer matches empty-string surfaces | verified | ok |
| A007 | A type restricts which stat keys the component accepts | verified | ok |
| A008 | The stat key type covers all nine valid statistics | verified | ok |
Findings 5 total
obspackages/cli/src/commands/init/state.ts→ monitor
Path escape handles single quotes only — dollar signs, backticks in paths still break inside single-quoted shell context
obspackages/cli/src/commands/work.ts→ closed
Backfill guard fix resolves fix-test-behavioral-coverage-C1 — empty string no longer triggers overwrite
debtwebsite/components/docs/content/DocsStat.tsx→ closed
DocsStatKey runtime fallback renders raw key name as visible page text — user sees 'proofCoutn' instead of a number if MDX has a typo
debtpackages/cli/src/commands/work.ts→ scope
No dedicated test for the backfill guard's empty-string behavior — only verified by source inspection
obspackages/cli/src/commands/init/state.ts→ closed
fix-surface-test-priority-C1 still active — scripts['test'] !== undefined at state.ts:520 treats explicit null in package.json as present
Integrity seal
scopesha256:7fa51c5f4b898...
contractsha256:b99d11570f45a...
plansha256:c86c688860d05...
specsha256:434425f6e4409...
build-reportsha256:d3cfa034fb299...
build-datasha256:8fce9649b38cb...
verify-reportsha256:f6f0a3e906954...
verify-datasha256:f939b1ed4ca33...
audit cmd$ ana proof audit fix-risk-findings → all hashes match