Fix scan branch detection — remove local branches from shared intelligence
The scan engine captures local git branches alongside remote branches via `git branch -a`. When scan.json is committed and shared (via `ana init commit`, AnaDocs, or agent consumption), developer-local branch state — stale refs, experiment branches, old sprint fossils — becomes permanent project intelligence. Two developers scanning the same repo produce different branch lists. This was discovered when our own scan.json was committed with 98 branches, 89 of which were stale local refs.
verdict PASSscore 11 / 11findings 3 (0 risk · 1 debt · 2 obs)duration 1h 6mrejection cycles 0shipped May 16, 2026surface cli
Pipeline timeline
Intent to proven code in 1h 6m across Think, Plan, Build, and Verify.
Think7m
Plan32m
Build4m
Verify3m
Assertion ledger
11 claims, each independently verified. Showing 8 — show all →
| ID | Says | Matcher | |
|---|---|---|---|
| A001 | Branch list on a repo with a remote contains only remote-tracking branches | verified | ok |
| A002 | Branch list includes branches that exist on the remote | verified | ok |
| A003 | Local-only repos still get their branches detected | verified | ok |
| A004 | Local-only repos include all local branches in the list | verified | ok |
| A005 | Dependency bot branches are excluded from branching convention analysis | verified | ok |
| A006 | Dependency bot branches are excluded from branching convention analysis | verified | ok |
| A007 | Human branch prefixes are still detected after bot filtering | verified | ok |
| A008 | The primary branching convention is never a bot prefix | verified | ok |
Findings 3 total
obspackages/cli/src/engine/detectors/git.ts→ monitor
Multi-remote repos: origin/ prefix stripping ignores non-origin remotes
debtpackages/cli/tests/engine/detectors/git-detection.test.ts→ closed
Bot prefix filtering tests cover 2 of 5 prefixes (dependabot/, renovate/) — snyk-, greenkeeper/, imgbot/ untested
obspackages/cli/src/engine/detectors/git.ts→ monitor
detectBranches and detectBranchPatterns both run git branch -r independently — two subprocess calls for the same data
Integrity seal
scopesha256:9143156664f8a...
contractsha256:fc88f6bdb9ee0...
plansha256:c6822384ec295...
specsha256:10f40b121d600...
build-reportsha256:5da2de45c6143...
build-datasha256:875737dc24d0f...
verify-reportsha256:33de6c85875a6...
verify-datasha256:f7210081654a7...
audit cmd$ ana proof audit fix-scan-branch-detection → all hashes match