Proof context file query
The proof chain stores rich intelligence — 49 callouts with file references, categories, code anchors, and full-text observations from every pipeline cycle. But there is no way to ask "what does the system know about THIS file?" Agents read PROOF_CHAIN.md — a flat list of 20 items about all files — and hope they notice what's relevant. The data is organized temporally (which feature produced it) when every consumer needs it organized spatially (which file is it about).
verdict PASSscore 24 / 24findings 9 (0 risk · 3 debt · 6 obs)duration 45mrejection cycles 1shipped Apr 25, 2026surface cli
Pipeline timeline
Intent to proven code in 45m across Think, Plan, Build, and Verify.
Think7m
Plan7m
Build32m
Verify6m
Assertion ledger
24 claims, each independently verified. Showing 8 — show all →
| ID | Says | Matcher | |
|---|---|---|---|
| A001 | A callout with a basename that matches exactly one touched module gets upgraded to the full path | verified | ok |
| A002 | The resolved path matches the module from modules_touched, not a fabricated path | verified | ok |
| A003 | A basename matching two or more touched modules stays as a basename | verified | ok |
| A004 | A basename matching zero touched modules stays unchanged | verified | ok |
| A005 | A callout file that already contains a path separator is not re-resolved | verified | ok |
| A006 | Build concern file fields are resolved using the same logic as callout files | verified | ok |
| A007 | Existing proof chain entries get their callout files resolved when the chain is rewritten | verified | ok |
| A008 | Path boundary checking prevents a file named route.ts from matching subroute.ts | verified | ok |
Findings 9 total
obspackages/cli/src/utils/proofSummary.ts→ closed
Root-level module paths won't match: `proofSummary.ts:336` — `m.endsWith('/' + basename)` requires a `/` prefix. A module at the repository root (e.g., bare `census.ts` in `modules_touched`) wouldn't match. Dormant — `git diff` always produces paths with directory segments. If `modules_touched` ever comes from a source that produces bare filenames, resolution silently skips them.
obspackages/cli/tests/utils/proofSummary.test.ts→ closed
A007 coverage is indirect for backfill: `proofSummary.test.ts:1129` — The `@ana A007` tag is on a unit test of `resolveCalloutPaths`, not an integration test of the backfill wiring at `work.ts:815-818`. The function IS the mechanism for backfill — proving the function works proves the mechanism works. But the 4-line loop calling it on `chain.entries` is verified only by code reading. Acceptable trade-off for straightforward wiring; a dedicated test would require mock filesystem for `proof_chain.json`.
obspackages/cli/tests/utils/proofSummary.test.ts→ closed
Pre-check tag collision across contracts: `proofSummary.test.ts:741` — The `@ana A007` tag from "file field to proof chain callouts" still exists alongside the new tag at line 1129. Pre-check counts both as coverage but can't distinguish contracts. This caused the original false COVERED in the first verification. Consider contract-scoped tags (e.g., `@ana proof-context-query:A007`) in a future pre-check enhancement.
obspackages/cli/tests/utils/proofSummary.test.ts→ closed
Tag at line 741 is now redundant for this contract: `proofSummary.test.ts:741` — Two `@ana A007` tags exist in the same file, from different contracts. The one at line 741 ("generateActiveIssuesMarkdown uses callout.file") is from a prior feature and is semantically unrelated to backfill. Not harmful, but future readers may be confused about which test covers A007 for which contract.
debtpackages/cli/src/utils/proofSummary.ts→ closed
`fileMatches` overmatch on same-basename different-directory paths: `proofSummary.ts:883` — If stored=`packages/a/census.ts` and queried=`packages/b/census.ts`, the function returns true because both paths end with `/census.ts`. The spec's three-tier matching intentionally prioritizes recall over precision, so this is by design. In practice, proof chain callouts rarely have duplicate basenames across different directories. If this becomes noisy, a future cycle could add exact-path-prefix matching as tier 1.5.
+4more findings
Integrity seal
scopesha256:15389cd045e57...
contractsha256:dad03df125a21...
plansha256:5a817ab0107f0...
specsha256:70972b976088c...
build-reportsha256:71aab35b16dfc...
verify-reportsha256:43324a6b96cda...
audit cmd$ ana proof audit proof-context-query → all hashes match