@nimiplatform/nimi-coding 0.1.0

package/cli/lib/audit-sweep-runtime/format.mjs

@@ -0,0 +1,57 @@
+export function formatAuditSweepPayload(payload) {
+  if (!payload.ok) {
+    if (payload.error) {
+      return payload.error;
+    }
+    if (payload.checks) {
+      const failed = payload.checks.filter((entry) => !entry.ok);
+      return `audit-sweep ${payload.sweepId ?? "result"} validation failed\nchecks: ${payload.checks.length - failed.length}/${payload.checks.length}\nfailed: ${failed.map((entry) => entry.reason).join("; ")}\n`;
+    }
+    return "audit-sweep failed\n";
+  }
+
+  const lines = [`audit-sweep ${payload.sweepId ?? payload.auditCloseout?.sweep_id ?? "result"}`];
+  for (const [label, value] of [
+    ["plan", payload.planRef],
+    ["chunk", payload.chunkRef],
+    ["ledger", payload.ledgerRef],
+    ["latest ledger", payload.latestLedgerRef],
+    ["report", payload.reportRef],
+    ["remediation map", payload.remediationMapRef],
+    ["audit closeout", payload.auditCloseoutRef],
+    ["packet", payload.packetRef],
+    ["run ledger", payload.runLedgerRef],
+  ]) {
+    if (value) {
+      lines.push(`${label}: ${value}`);
+    }
+  }
+  if (payload.state) {
+    lines.push(`state: ${payload.state}`);
+  }
+  if (payload.chunkCount !== undefined) {
+    lines.push(`chunks: ${payload.chunkCount}`);
+  }
+  if (payload.includedFiles !== undefined) {
+    lines.push(`included files: ${payload.includedFiles}`);
+  }
+  if (payload.findingCount !== undefined) {
+    lines.push(`findings: ${payload.findingCount}`);
+  }
+  if (payload.findingClusterCount !== undefined) {
+    lines.push(`finding clusters: ${payload.findingClusterCount}`);
+  }
+  if (payload.clusteredSymptomCount !== undefined) {
+    lines.push(`clustered symptoms: ${payload.clusteredSymptomCount}`);
+  }
+  if (payload.unresolvedFindingCount !== undefined) {
+    lines.push(`open findings: ${payload.unresolvedFindingCount}`);
+  }
+  if (payload.waveCount !== undefined) {
+    lines.push(`remediation waves: ${payload.waveCount}`);
+  }
+  if (payload.checks) {
+    lines.push(`checks: ${payload.checks.filter((entry) => entry.ok).length}/${payload.checks.length}`);
+  }
+  return `${lines.join("\n")}\n`;
+}

package/cli/lib/audit-sweep-runtime/ingest.mjs

@@ -0,0 +1,486 @@
+import { copyFile, mkdir, readFile } from "node:fs/promises";
+import path from "node:path";
+
+import {
+  FINDING_ACTIONABILITY,
+  FINDING_CONFIDENCE,
+  FINDING_SEVERITY,
+  appendRunEvent,
+  artifactPath,
+  artifactRef,
+  chunkRef,
+  ensureIsoTimestamp,
+  findingsRef,
+  inputError,
+  loadChunk,
+  loadFindings,
+  loadJsonFile,
+  loadPlan,
+  resolveInsideProject,
+  safeSweepId,
+  sha256Object,
+  withAuditSweepMutationLock,
+  writeYamlRef,
+} from "./common.mjs";
+import {
+  buildDuplicateSymptom,
+  buildRiskBudgetStatus,
+  clusterAcceptanceMatchesPlan,
+  createCluster,
+  deriveFindingCluster,
+  ensureClusterStore,
+  findingRequiresCanonicalInCluster,
+  updateClusterWithCanonical,
+} from "./risk-budget.mjs";
+import { buildAuditValidityForEvidence, p0p1ImplementationRefsForChunk } from "./audit-validity.mjs";
+import { isPlainObject } from "../value-helpers.mjs";
+import { pathExists } from "../fs-helpers.mjs";
+
+export function validateEvidenceEnvelope(evidence, chunk) {
+  if (!isPlainObject(evidence)) {
+    return { ok: false, error: "audit evidence must be a JSON object" };
+  }
+  if (evidence.chunk_id !== chunk.chunk_id) {
+    return { ok: false, error: "audit evidence chunk_id must match the ingested chunk" };
+  }
+  if (!isPlainObject(evidence.auditor) || typeof evidence.auditor.id !== "string" || !evidence.auditor.id.trim()) {
+    return { ok: false, error: "audit evidence auditor.id is required" };
+  }
+  if (!isPlainObject(evidence.coverage) || !Array.isArray(evidence.coverage.files)) {
+    return { ok: false, error: "audit evidence coverage.files is required" };
+  }
+  if (chunk.planning_basis === "spec_authority") {
+    if (!Array.isArray(evidence.coverage.authority_refs)) {
+      return { ok: false, error: "spec-authority audit evidence coverage.authority_refs is required" };
+    }
+    const coveredAuthority = [...evidence.coverage.authority_refs].sort();
+    const expectedAuthority = [...(chunk.authority_refs ?? chunk.files)].sort();
+    if (coveredAuthority.length !== expectedAuthority.length || coveredAuthority.some((fileRef, index) => fileRef !== expectedAuthority[index])) {
+      return { ok: false, error: "audit evidence coverage.authority_refs must exactly match chunk authority refs" };
+    }
+    const coveredFiles = [...evidence.coverage.files].sort();
+    if (coveredFiles.length !== expectedAuthority.length || coveredFiles.some((fileRef, index) => fileRef !== expectedAuthority[index])) {
+      return { ok: false, error: "spec-authority audit evidence coverage.files must exactly match chunk authority refs" };
+    }
+    const evidenceFiles = evidence.coverage.evidence_files;
+    if (!Array.isArray(evidenceFiles)) {
+      return { ok: false, error: "spec-authority audit evidence coverage.evidence_files is required" };
+    }
+    const normalizedEvidenceFiles = evidenceFiles.map((fileRef) => typeof fileRef === "string" ? fileRef.replace(/\\/g, "/") : fileRef);
+    if (normalizedEvidenceFiles.some((fileRef) => typeof fileRef !== "string")) {
+      return { ok: false, error: "spec-authority audit evidence coverage.evidence_files must contain file refs" };
+    }
+    const expectedEvidenceFiles = [...(chunk.evidence_inventory ?? [])].sort();
+    const coveredEvidenceFiles = [...normalizedEvidenceFiles].sort();
+    if (coveredEvidenceFiles.length !== expectedEvidenceFiles.length
+      || coveredEvidenceFiles.some((fileRef, index) => fileRef !== expectedEvidenceFiles[index])) {
+      return { ok: false, error: "spec-authority audit evidence coverage.evidence_files must exactly match chunk evidence inventory" };
+    }
+    const outcomes = evidence.coverage.authority_outcomes;
+    if (!Array.isArray(outcomes)) {
+      return { ok: false, error: "spec-authority audit evidence coverage.authority_outcomes is required" };
+    }
+    const expectedAuthoritySet = new Set(expectedAuthority);
+    const outcomeAuthorityRefs = new Set();
+    const validStatuses = new Set(["audited", "blocked", "not_applicable"]);
+    for (const [index, outcome] of outcomes.entries()) {
+      if (!isPlainObject(outcome)) {
+        return { ok: false, error: `authority_outcomes[${index}] must be an object` };
+      }
+      const authorityRef = typeof outcome.authority_ref === "string" ? outcome.authority_ref.replace(/\\/g, "/") : "";
+      if (!expectedAuthoritySet.has(authorityRef)) {
+        return { ok: false, error: `authority_outcomes[${index}].authority_ref must belong to chunk authority_refs` };
+      }
+      if (outcomeAuthorityRefs.has(authorityRef)) {
+        return { ok: false, error: `authority_outcomes contains duplicate authority_ref ${authorityRef}` };
+      }
+      outcomeAuthorityRefs.add(authorityRef);
+      if (!validStatuses.has(outcome.status)) {
+        return { ok: false, error: `authority_outcomes[${index}].status must be audited, blocked, or not_applicable` };
+      }
+      if (!Array.isArray(outcome.evidence_refs)) {
+        return { ok: false, error: `authority_outcomes[${index}].evidence_refs must be an array` };
+      }
+      for (const evidenceRef of outcome.evidence_refs) {
+        if (typeof evidenceRef !== "string" || !chunkAllowsFindingFile(chunk, evidenceRef.replace(/\\/g, "/"))) {
+          return { ok: false, error: `authority_outcomes[${index}].evidence_refs must belong to chunk authority refs or evidence inventory` };
+        }
+      }
+      if (outcome.status === "audited" && outcome.evidence_refs.length === 0) {
+        return { ok: false, error: `authority_outcomes[${index}] audited status requires evidence_refs` };
+      }
+      if (outcome.status !== "audited" && (typeof outcome.reason !== "string" || !outcome.reason.trim())) {
+        return { ok: false, error: `authority_outcomes[${index}] ${outcome.status} status requires reason` };
+      }
+    }
+    if (outcomeAuthorityRefs.size !== expectedAuthority.length) {
+      return { ok: false, error: "spec-authority audit evidence coverage.authority_outcomes must contain exactly one entry per authority ref" };
+    }
+  } else {
+    const covered = [...evidence.coverage.files].sort();
+    const expected = [...chunk.files].sort();
+    if (covered.length !== expected.length || covered.some((fileRef, index) => fileRef !== expected[index])) {
+      return { ok: false, error: "audit evidence coverage.files must exactly match chunk files" };
+    }
+  }
+  if (!Array.isArray(evidence.findings)) {
+    return { ok: false, error: "audit evidence findings must be an array" };
+  }
+  const p0p1EvidenceRefsValidation = validateP0P1EvidenceRefs(evidence, chunk);
+  if (!p0p1EvidenceRefsValidation.ok) {
+    return p0p1EvidenceRefsValidation;
+  }
+  return { ok: true };
+}
+
+function isInsideRef(rootRef, fileRef) {
+  const normalizedRoot = rootRef.replace(/\\/g, "/").replace(/\/$/, "");
+  return fileRef === normalizedRoot || fileRef.startsWith(`${normalizedRoot}/`);
+}
+
+function chunkAllowsFindingFile(chunk, fileRef) {
+  if (chunk.files.includes(fileRef)) {
+    return true;
+  }
+  if (chunk.planning_basis !== "spec_authority") {
+    return false;
+  }
+  return Array.isArray(chunk.evidence_inventory) && chunk.evidence_inventory.includes(fileRef);
+}
+
+function chunkAllowsP0P1EvidenceRef(chunk, fileRef) {
+  return p0p1ImplementationRefsForChunk(chunk).includes(fileRef);
+}
+
+function validateP0P1EvidenceRefs(evidence, chunk) {
+  if (evidence.coverage.p0p1_evidence_refs === undefined) {
+    return { ok: true };
+  }
+  if (!Array.isArray(evidence.coverage.p0p1_evidence_refs)) {
+    return { ok: false, error: "coverage.p0p1_evidence_refs must be an array when present" };
+  }
+  for (const [index, evidenceRef] of evidence.coverage.p0p1_evidence_refs.entries()) {
+    const normalizedRef = typeof evidenceRef === "string" ? evidenceRef.replace(/\\/g, "/") : null;
+    if (!normalizedRef || !chunkAllowsP0P1EvidenceRef(chunk, normalizedRef)) {
+      return { ok: false, error: `coverage.p0p1_evidence_refs[${index}] must belong to the chunk implementation surface` };
+    }
+  }
+  return { ok: true };
+}
+
+function normalizeFinding(rawFinding, index, chunk, sweepId, evidenceRef, verifiedAt) {
+  if (!isPlainObject(rawFinding)) {
+    return { ok: false, error: `finding ${index + 1} must be an object` };
+  }
+
+  const severity = String(rawFinding.severity ?? "");
+  if (!FINDING_SEVERITY.has(severity)) {
+    return { ok: false, error: `finding ${index + 1} severity must be one of critical, high, medium, low` };
+  }
+
+  const actionability = String(rawFinding.actionability ?? "");
+  if (!FINDING_ACTIONABILITY.has(actionability)) {
+    return { ok: false, error: `finding ${index + 1} actionability must be one of auto-fix, needs-decision, deferred-backlog` };
+  }
+
+  const confidence = String(rawFinding.confidence ?? "");
+  if (!FINDING_CONFIDENCE.has(confidence)) {
+    return { ok: false, error: `finding ${index + 1} confidence must be one of high, medium, low` };
+  }
+
+  const category = typeof rawFinding.category === "string" && rawFinding.category.trim() ? rawFinding.category.trim() : null;
+  const impact = typeof rawFinding.impact === "string" && rawFinding.impact.trim() ? rawFinding.impact.trim() : null;
+  const title = typeof rawFinding.title === "string" && rawFinding.title.trim() ? rawFinding.title.trim() : null;
+  const description = typeof rawFinding.description === "string" && rawFinding.description.trim() ? rawFinding.description.trim() : null;
+  if (!category || !impact || !title || !description) {
+    return { ok: false, error: `finding ${index + 1} category, impact, title, and description are required` };
+  }
+
+  if (!isPlainObject(rawFinding.location) || typeof rawFinding.location.file !== "string" || !rawFinding.location.file.trim()) {
+    return { ok: false, error: `finding ${index + 1} location.file is required` };
+  }
+  const fileRef = rawFinding.location.file.replace(/\\/g, "/");
+  if (!chunkAllowsFindingFile(chunk, fileRef)) {
+    return { ok: false, error: `finding ${index + 1} location.file must belong to chunk ${chunk.chunk_id}` };
+  }
+
+  if (!isPlainObject(rawFinding.evidence)) {
+    return { ok: false, error: `finding ${index + 1} evidence object is required` };
+  }
+  const evidenceSummary = typeof rawFinding.evidence.summary === "string" && rawFinding.evidence.summary.trim()
+    ? rawFinding.evidence.summary.trim()
+    : null;
+  const auditorReasoning = typeof rawFinding.evidence.auditor_reasoning === "string" && rawFinding.evidence.auditor_reasoning.trim()
+    ? rawFinding.evidence.auditor_reasoning.trim()
+    : null;
+  if (!evidenceSummary || !auditorReasoning) {
+    return { ok: false, error: `finding ${index + 1} evidence.summary and evidence.auditor_reasoning are required` };
+  }
+
+  const normalized = {
+    sweep_id: sweepId,
+    chunk_id: chunk.chunk_id,
+    owner_domain: chunk.owner_domain,
+    severity,
+    category,
+    actionability,
+    confidence,
+    impact,
+    location: {
+      file: fileRef,
+      ...(Number.isInteger(rawFinding.location.line) && rawFinding.location.line > 0 ? { line: rawFinding.location.line } : {}),
+      ...(typeof rawFinding.location.symbol === "string" && rawFinding.location.symbol.trim() ? { symbol: rawFinding.location.symbol.trim() } : {}),
+    },
+    title,
+    description,
+    root_cause: null,
+    cluster_id: null,
+    evidence: {
+      summary: evidenceSummary,
+      auditor_reasoning: auditorReasoning,
+      ...(typeof rawFinding.evidence.snippet === "string" && rawFinding.evidence.snippet.trim() ? { snippet: rawFinding.evidence.snippet.trim() } : {}),
+    },
+    disposition: "open",
+    evidence_ref: evidenceRef,
+    detected_at: verifiedAt,
+  };
+
+  return {
+    ok: true,
+    finding: normalized,
+    fingerprint: sha256Object({
+      severity,
+      category,
+      actionability,
+      file: normalized.location.file,
+      line: normalized.location.line ?? null,
+      symbol: normalized.location.symbol ?? null,
+      title,
+      description,
+      evidenceSummary,
+    }),
+  };
+}
+
+function existingFindingForFingerprint(store, fingerprint) {
+  return store.findings.find((finding) => finding.fingerprint === fingerprint) ?? null;
+}
+
+function sameLocation(left, right) {
+  return left?.location?.file === right?.location?.file
+    && (left?.location?.line ?? null) === (right?.location?.line ?? null)
+    && (left?.location?.symbol ?? null) === (right?.location?.symbol ?? null);
+}
+
+function existingFindingForRetryLocation(store, finding) {
+  return store.findings.find((existing) => existing.chunk_id === finding.chunk_id
+    && existing.severity === finding.severity
+    && sameLocation(existing, finding)) ?? null;
+}
+
+function clusterForFinding(store, finding) {
+  if (!finding?.cluster_id) {
+    return null;
+  }
+  return store.clusters.find((cluster) => cluster.cluster_id === finding.cluster_id) ?? null;
+}
+
+function recordClusteredSymptom(store, cluster, finding, fingerprint, classification) {
+  cluster.duplicate_symptoms.push(buildDuplicateSymptom(finding, fingerprint, classification));
+  cluster.duplicate_symptom_count = (cluster.duplicate_symptom_count ?? 0) + 1;
+  cluster.source_chunks = [...new Set([...(cluster.source_chunks ?? []), finding.chunk_id])].sort();
+  cluster.files = [...new Set([...(cluster.files ?? []), finding.location.file])].sort();
+  cluster.updated_at = finding.detected_at;
+  store.clustered_symptom_count = (store.clustered_symptom_count ?? 0) + 1;
+}
+
+export async function ingestAuditSweepChunk(projectRoot, options) {
+  const sweepId = safeSweepId(options.sweepId);
+  if (!sweepId || typeof options.chunkId !== "string") {
+    return inputError("nimicoding audit-sweep refused: --sweep-id and --chunk-id are required.\n");
+  }
+
+  const timestampError = ensureIsoTimestamp(options.verifiedAt);
+  if (timestampError) {
+    return timestampError;
+  }
+
+  const source = resolveInsideProject(projectRoot, options.fromPath ?? "", "--from");
+  if (!source.ok) {
+    return inputError(source.error);
+  }
+  const sourceInfo = await pathExists(source.absolutePath);
+  if (!sourceInfo || !sourceInfo.isFile()) {
+    return inputError("nimicoding audit-sweep refused: --from must point to an existing JSON file.\n");
+  }
+
+  return withAuditSweepMutationLock(projectRoot, sweepId, "chunk ingest", async () => {
+  const planResult = await loadPlan(projectRoot, sweepId);
+  if (!planResult.ok) {
+    return inputError(planResult.error);
+  }
+  const chunkResult = await loadChunk(projectRoot, sweepId, options.chunkId);
+  if (!chunkResult.ok) {
+    return inputError(chunkResult.error);
+  }
+  if (chunkResult.chunk.state !== "dispatched") {
+    return inputError("nimicoding audit-sweep refused: chunk ingest requires dispatched state.\n");
+  }
+
+  const evidenceJson = await loadJsonFile(source.absolutePath);
+  if (!evidenceJson.ok) {
+    return inputError("nimicoding audit-sweep refused: --from must contain valid JSON.\n");
+  }
+  const envelope = validateEvidenceEnvelope(evidenceJson.value, chunkResult.chunk);
+  if (!envelope.ok) {
+    return inputError(`nimicoding audit-sweep refused: ${envelope.error}.\n`);
+  }
+  const auditValidity = buildAuditValidityForEvidence(chunkResult.chunk, evidenceJson.value);
+  if (auditValidity.posture === "invalid") {
+    return inputError(`nimicoding audit-sweep refused: audit evidence is invalid no-finding evidence (${auditValidity.blockers.map((blocker) => blocker.id).join(", ")}).\n`);
+  }
+
+  const evidenceRef = artifactRef("evidence_refs", sweepId, `${options.chunkId}.audit-evidence.json`);
+  await mkdir(path.dirname(artifactPath(projectRoot, evidenceRef)), { recursive: true });
+  await copyFile(source.absolutePath, artifactPath(projectRoot, evidenceRef));
+
+  const { findingsRef: aggregateFindingsRef, store } = await loadFindings(projectRoot, sweepId);
+  ensureClusterStore(store);
+  const seen = new Set(store.findings.map((finding) => finding.fingerprint));
+  const clustersByKey = new Map(store.clusters.map((cluster) => [cluster.cluster_key, cluster]));
+  let addedCount = 0;
+  let duplicateCount = 0;
+  let clusteredCount = 0;
+  let acceptedClusterSkipCount = 0;
+  for (const [index, rawFinding] of evidenceJson.value.findings.entries()) {
+    const normalized = normalizeFinding(rawFinding, index, chunkResult.chunk, sweepId, evidenceRef, options.verifiedAt);
+    if (!normalized.ok) {
+      return inputError(`nimicoding audit-sweep refused: ${normalized.error}.\n`);
+    }
+    const clusterResult = deriveFindingCluster(rawFinding, normalized.finding, chunkResult.chunk, planResult.plan);
+    if (!clusterResult.ok) {
+      return inputError(`nimicoding audit-sweep refused: finding ${index + 1} ${clusterResult.error}.\n`);
+    }
+    if (seen.has(normalized.fingerprint)) {
+      duplicateCount += 1;
+      const sourceFinding = existingFindingForFingerprint(store, normalized.fingerprint);
+      const sourceCluster = clusterForFinding(store, sourceFinding);
+      if (sourceCluster) {
+        recordClusteredSymptom(store, sourceCluster, normalized.finding, normalized.fingerprint, "exact_duplicate");
+        clusteredCount += 1;
+      }
+      continue;
+    }
+    const sameLocationRetry = existingFindingForRetryLocation(store, normalized.finding);
+    if (sameLocationRetry) {
+      duplicateCount += 1;
+      const sourceCluster = clusterForFinding(store, sameLocationRetry);
+      if (sourceCluster) {
+        recordClusteredSymptom(store, sourceCluster, normalized.finding, normalized.fingerprint, "same_chunk_location_retry");
+        clusteredCount += 1;
+      }
+      continue;
+    }
+
+    let cluster = clustersByKey.get(clusterResult.cluster.cluster_key) ?? null;
+    const acceptedClusterSameContext = cluster && clusterAcceptanceMatchesPlan(cluster, planResult.plan);
+    const acceptedClusterChangedContext = cluster && cluster.acceptance && !acceptedClusterSameContext;
+    if (acceptedClusterSameContext) {
+      recordClusteredSymptom(store, cluster, normalized.finding, normalized.fingerprint, "accepted_cluster_resume_skip");
+      store.accepted_cluster_skip_count = (store.accepted_cluster_skip_count ?? 0) + 1;
+      acceptedClusterSkipCount += 1;
+      clusteredCount += 1;
+      continue;
+    }
+    if (cluster && !acceptedClusterChangedContext && !findingRequiresCanonicalInCluster(normalized.finding, cluster)) {
+      recordClusteredSymptom(store, cluster, normalized.finding, normalized.fingerprint, "clustered_duplicate_symptom");
+      duplicateCount += 1;
+      clusteredCount += 1;
+      continue;
+    }
+
+    const finding = {
+      id: `finding-${String(store.findings.length + 1).padStart(4, "0")}`,
+      fingerprint: normalized.fingerprint,
+      ...normalized.finding,
+      root_cause: {
+        key: clusterResult.cluster.root_cause_key,
+        authority_ref: clusterResult.cluster.authority_ref,
+        evidence_root: clusterResult.cluster.evidence_root,
+        contract_seam: clusterResult.cluster.contract_seam,
+        repair_target: clusterResult.cluster.repair_target,
+      },
+      cluster_id: clusterResult.cluster.cluster_id,
+    };
+    seen.add(normalized.fingerprint);
+    store.findings.push(finding);
+    if (cluster) {
+      updateClusterWithCanonical(cluster, finding);
+    } else {
+      cluster = createCluster(clusterResult.cluster, finding);
+      store.clusters.push(cluster);
+      clustersByKey.set(cluster.cluster_key, cluster);
+    }
+    addedCount += 1;
+  }
+  store.duplicate_count = (store.duplicate_count ?? 0) + duplicateCount;
+  store.remediation_obligation_count = store.findings.length;
+  store.updated_at = options.verifiedAt;
+  await writeYamlRef(projectRoot, aggregateFindingsRef, store);
+  const riskBudgetStatus = buildRiskBudgetStatus(planResult.plan, store, options.verifiedAt);
+
+  const updatedChunk = {
+    ...chunkResult.chunk,
+    state: "ingested",
+    evidence_ref: evidenceRef,
+    finding_count: evidenceJson.value.findings.length,
+    audit_validity: auditValidity,
+    lifecycle: {
+      ...chunkResult.chunk.lifecycle,
+      ingested_at: options.verifiedAt,
+    },
+    updated_at: options.verifiedAt,
+  };
+  await writeYamlRef(projectRoot, chunkResult.chunkRef, updatedChunk);
+  await writeYamlRef(projectRoot, planResult.planRef, {
+    ...planResult.plan,
+    risk_budget_status: riskBudgetStatus,
+    chunks: planResult.plan.chunks.map((chunk) => chunk.chunk_id === options.chunkId
+      ? { ...chunk, state: "ingested", finding_count: evidenceJson.value.findings.length, evidence_ref: evidenceRef, audit_validity: auditValidity }
+      : chunk),
+    updated_at: options.verifiedAt,
+  });
+
+  const runRef = await appendRunEvent(projectRoot, sweepId, {
+    event_type: "chunk_ingested",
+    chunk_id: options.chunkId,
+    chunk_ref: chunkRef(sweepId, options.chunkId),
+    evidence_ref: evidenceRef,
+    findings_ref: aggregateFindingsRef,
+    finding_count: evidenceJson.value.findings.length,
+    audit_validity: auditValidity,
+    added_count: addedCount,
+    duplicate_count: duplicateCount,
+    clustered_count: clusteredCount,
+    accepted_cluster_skip_count: acceptedClusterSkipCount,
+    risk_budget_status: riskBudgetStatus,
+  });
+
+  return {
+    ok: true,
+    exitCode: 0,
+    sweepId,
+    chunkId: options.chunkId,
+    state: "ingested",
+    evidenceRef,
+    findingsRef: aggregateFindingsRef,
+    findingCount: evidenceJson.value.findings.length,
+    addedCount,
+    duplicateCount,
+    clusteredCount,
+    acceptedClusterSkipCount,
+    riskBudgetStatus,
+    runLedgerRef: runRef,
+  };
+  });
+}