Retire Capture-Gate Self-Arming — Drive the Gate from a Committed Config Flag

Remove the capture gate's self-arming rollout mechanism — the invisible, gitignored, per-working-copy `.ana/state/capture.json` that flips a project from warn-mode to fail-closed only after it seals its first valid capture — and replace its enablement signal with a **visible, committed `ana.json` flag**. The gate, the seal, and the capture engine (the moat) are preserved exactly; only the *decision of when enforcement is on* changes from hidden runtime state to a `git`-tracked config fact.

verdict PASSscore 16 / 17findings 5 (0 risk · 1 debt · 4 obs)duration 13h 6mrejection cycles 1shipped Jun 6, 2026

Pipeline timeline

Intent to proven code in 13h 6m across Think, Plan, Build, and Verify.

Think
96m
Plan
42m
Build
601m
Verify
44m

Assertion ledger

17 claims, each independently verified. Showing 8 — show all →

IDSaysMatcher
A001With the capture gate enabled, a build report that has no valid test evidence is blockedverifiedok
A002With the gate enabled, a build report carrying valid sealed evidence is not blockedverifiedok
A003When the gate is off or unset, a build report with no evidence is never blockedverifiedok
A004With the gate enabled, unreadable or abstaining test counts still never block — only missing or corrupted evidence doesverifiedok
A005A project with a missing or malformed config reads as gate-off and is never blockedverifiedok
A006Verify reports are never blocked by the evidence gate, even when it is enabledverifiedok
A007Saves that are not build reports never trigger the evidence gate, even when it is enabledverifiedok
A008A project with the gate on but no runnable test command is never blockedverifiedok

Findings 5 total

obsCHANGELOG.mdclosed
AC15 spec/founder conflict resolved: spec said remove the `[Unreleased]` `### Changed` template-propagation note; founder explicitly decided to keep it (commit 9c787fa2) and confirmed during verify. Footer link corrected to v1.2.2...HEAD. Authorized spec deviation, not a defect — the note documents the same template-propagation behavior the project-context.md AC13 edit describes.
obspackages/cli/tests/commands/artifact.test.tsacknowledge
A014 (verify-report sealed account) now has a genuine targeted @ana A014 test: saves a verify report carrying a bare marker with the gate ON, then asserts the saved verify_report.md contains the begin/end delimiters, the real sha256, AND the verbatim captured bytes that were absent before the save. Closes the prior verify's AC9 PARTIAL gap. Not a sentinel.
debtpackages/cli/src/commands/work.tsmonitor
getWorkStatus reads + parses .ana/ana.json twice per call — once inline (readFileSync + JSON.parse) for lastScanAt/captureGate at work.ts:~500, then again inside isCaptureGateEnabled (which re-reads + AnaJsonSchema.parses the same file) for captureGateActive at ~515. Harmless (status is cold-path) but two reads of one file; could thread the parsed object through. Unchanged since prior verify.
obs.ana/state/capture.jsonclosed
Stale gitignored .ana/state/capture.json (armed:true, armedAt 2026-06-06T17:50:09Z) reappears in the dogfood worktree. NOT created by this build's code — the forbidden-symbol sweep confirms zero references to capture.json/armCapture/isArmed in src. It is written by the globally-installed (pre-merge, still-self-arming) `ana` binary used to run the pipeline; armedAt matches the moment `ana test` ran. Gitignored, untracked, non-shipping, inert under the new code. Resolves once the published binary carries this change. `rm` for hygiene.
obsclosed
Retiring self-arming dissolves the captured-test-evidence arming findings: isArmed double-read (C10) and the warnings-length valid-predicate proxy (C11) are both deleted with the arming machinery. The C9 block-message reassurance ('ana test seals a harmless abstain even when no tests run') is preserved in config terms in the re-framed message.

Integrity seal

scopesha256:a148cd16c69f6...
contractsha256:798f64a1fe5a6...
plansha256:3a734fdcb0b84...
specsha256:fe856f4a002f2...
build-reportsha256:bf6fe2e545397...
build-datasha256:4f033cf24a851...
verify-reportsha256:363c6d4e003cb...
verify-datasha256:5e9ef44e6092c...
audit cmd$ ana proof audit retire-capture-self-arming   → all hashes match