Fix Workspace Glob Fallback
Three repos in the 90-repo validation set fail completely on `ana scan`: umami crashes, erxes gets zero detection, immich gets zero detection. These are the only repos where the product FAILS — every other known limitation is partial detection, not total failure. A developer hitting this on their first `npx anatomia-cli scan` would never come back.
verdict PASSscore 14 / 14findings 4 (0 risk · 1 debt · 3 obs)duration 19h 1mrejection cycles 0shipped May 25, 2026surface cli
Pipeline timeline
Intent to proven code in 19h 1m across Think, Plan, Build, and Verify.
Think7m
Plan5m
Build4m
Verify4m
Assertion ledger
14 claims, each independently verified. Showing 8 — show all →
| ID | Says | Matcher | |
|---|---|---|---|
| A001 | A workspace with unresolvable glob patterns doesn't crash the scan | verified | ok |
| A002 | Root package dependencies are detected when workspace globs can't be resolved | verified | ok |
| A003 | Dev dependencies from root are detected when workspace globs can't be resolved | verified | ok |
| A004 | Exactly one primary source root exists when workspace globs can't be resolved | verified | ok |
| A005 | No monorepo tool is reported when workspace packages can't be resolved | verified | ok |
| A006 | Dependencies from root package.json are recovered when workspace packages have invalid metadata | verified | ok |
| A007 | Dev dependencies from root are recovered when workspace packages have invalid metadata | verified | ok |
| A008 | Scan treats a failed workspace as single-repo with recovered deps | verified | ok |
Findings 4 total
obspackages/cli/src/engine/census.ts→ monitor
rootDevDeps is empty in Fix B path — fallback devDeps only flow through sourceRoot.devDeps
obspackages/cli/src/engine/census.ts→ closed
Defensive guard for !result.rootPackage is unreachable with current @manypkg behavior
debtpackages/cli/tests/engine/census.test.ts→ monitor
Fix A test does not assert deps/devDeps are separated correctly — only checks allDeps
obspackages/cli/src/engine/census.ts→ closed
fallbackRootPackage type allows scripts as Record<string, unknown> but JSON.parse returns any — no runtime validation
Integrity seal
scopesha256:48873cb5e70c3...
contractsha256:b3351aa73038b...
plansha256:1b5a849dcf0c2...
specsha256:22a0d5b24d67a...
build-reportsha256:45621d9d52ebe...
build-datasha256:a3919e88d7c72...
verify-reportsha256:ed60310df44e2...
verify-datasha256:7dbb63a8a214b...
audit cmd$ ana proof audit fix-workspace-glob-fallback → all hashes match