Setup Verification Hints
The setup agent presents scan output as-is. The developer confirms "yes" to config that might be misleading, because neither party has verified the consequential claims. The scan is deterministic code that makes heuristic bets — it's right most of the time, but when it's wrong, the error propagates silently into ana.json and project-context.md, shaping every pipeline run that follows.
verdict PASSscore 23 / 23findings 6 (0 risk · 2 debt · 4 obs)duration 5h 57mrejection cycles 0shipped May 23, 2026surface cli
Pipeline timeline
Intent to proven code in 5h 57m across Think, Plan, Build, and Verify.
Think14m
Plan12m
Build9m
Verify6m
Assertion ledger
23 claims, each independently verified. Showing 8 — show all →
| ID | Says | Matcher | |
|---|---|---|---|
| A001 | Database detection captures the triggering npm package name | verified | ok |
| A002 | Auth detection captures the triggering npm package name | verified | ok |
| A003 | Payment detection captures the triggering npm package name | verified | ok |
| A004 | Package name fields are null when no detection occurs | verified | ok |
| A005 | Single-repo projects always produce empty provenance | verified | ok |
| A006 | Detection from the primary package produces empty provenance | verified | ok |
| A007 | Detection from a non-primary package records the source path | verified | ok |
| A008 | Provenance checks devDeps, not just production deps | verified | ok |
Findings 6 total
debtpackages/cli/src/engine/scan-engine.ts→ closed
detectAiSdk(allDeps) called twice — line 787 for stack and line 798 for provenance
obspackages/cli/tests/engine/detectors/dependencies.test.ts→ closed
Duplicate @ana tag IDs across describe blocks (A001-A004 used by both old and new tests)
obspackages/cli/tests/engine/detectors/dependencies.test.ts→ closed
Redundant toBeDefined() before specific toBe() in A008 and A009 tests
obspackages/cli/src/engine/detectors/dependencies.ts→ monitor
No-primary-root edge case — findStackProvenance silently treats all roots as non-primary when no root.isPrimary is true
obs→ closed
Spec gotcha said capture nodeAiSdk once and use in both stack and provenance — builder captured separately but didn't wire into stack construction
+1more findings
Integrity seal
scopesha256:f5c9c70396237...
contractsha256:6a80820c03820...
plansha256:681b9a2daa864...
specsha256:1278078eaba4f...
build-reportsha256:e01ece06fd274...
build-datasha256:deb9203585422...
verify-reportsha256:ef84413fcd88e...
verify-datasha256:5436b0ca95749...
audit cmd$ ana proof audit setup-verification-hints → all hashes match