@nimiplatform/nimi-coding 0.2.2 → 0.2.3

package/CHANGELOG.md

@@ -4,6 +4,22 @@ All notable changes to `@nimiplatform/nimi-coding` are tracked here.
 
 This project follows semantic versioning for published npm releases.
 
+## 0.2.3
+
+- Added `nimicoding sweep audit chunk audit-claude` for Claude-backed sweep
+  chunk audits with structured JSON output, evidence ingestion, review, freeze,
+  post-chunk validation, and run-ledger events.
+- Hardened Claude auditor output handling by normalizing Claude CLI JSON result
+  wrappers, including `structured_output` and replayed raw output files.
+- Tightened audit evidence normalization so AGENTS, README, spec, contract, and
+  methodology refs are treated as context rather than implementation evidence.
+- Improved P0/P1 validity and spec-authority evidence mapping so context-only
+  chunks can be marked not applicable while declared implementation refs,
+  including `.prisma` surfaces, map to the correct owner roots.
+- Updated default audit-sweep exclusions for common tool state and archive
+  directories while keeping host-specific `nimi/**` exclusions out of the
+  package defaults.
+
 ## 0.2.2
 
 - Fixed v2 doctor lifecycle/readiness derivation so host projects using the

package/README.md

@@ -314,7 +314,7 @@ repository itself keeps the package-owned source directly under
 
 ```bash
 pnpm install
-pnpm test           # runs the node:test suite (331 tests at 0.2.2)
+pnpm test           # runs the node:test suite (337 tests at 0.2.3)
 pnpm check:pack     # npm pack --dry-run
 pnpm check:ci       # test + pack + CLI help/version smoke
 ```

package/README.zh-CN.md

@@ -256,7 +256,7 @@ Nimi Coding 坐在你已经用的 AI host *底下*。它是让 AI 做完的工
 
 ```bash
 pnpm install
-pnpm test           # 跑 node:test 套件（0.2.2 共 331 用例）
+pnpm test           # 跑 node:test 套件（0.2.3 共 337 用例）
 pnpm check:pack     # npm pack --dry-run
 pnpm check:ci       # test + pack + CLI help/version smoke
 ```

package/cli/commands/audit-sweep.mjs

@@ -10,6 +10,7 @@ import {
   ingestAuditSweepChunk,
   resolveAuditSweepFinding,
   reviewAuditSweepChunk,
+  runClaudeAuditSweepChunk,
   runCodexAuditSweepChunk,
   skipAuditSweepChunk,
   validateAuditSweepArtifacts,
@@ -150,6 +151,23 @@ function parseChunkAuditCodexOptions(args) {
   });
 }
 
+function parseChunkAuditClaudeOptions(args) {
+  return parseOptions(args, "chunk audit-claude", {
+    sweepId: { flag: "--sweep-id", required: true },
+    chunkId: { flag: "--chunk-id", required: true },
+    dispatchedAt: { flag: "--dispatched-at", required: true },
+    verifiedAt: { flag: "--verified-at", required: true },
+    reviewedAt: { flag: "--reviewed-at", required: true },
+    auditor: { flag: "--auditor" },
+    reviewer: { flag: "--reviewer" },
+    summary: { flag: "--summary" },
+    claudeBin: { flag: "--claude-bin" },
+    fromRawOutput: { flag: "--from-raw-output" },
+    timeoutMs: { flag: "--timeout-ms", type: "positive-int" },
+    json: { default: false },
+  });
+}
+
 function parseChunkReviewOptions(args) {
   return parseOptions(args, "chunk review", {
     sweepId: { flag: "--sweep-id", required: true },
@@ -238,6 +256,9 @@ function parseAuditSweepOptions(args) {
   if (command === "chunk" && subcommand === "audit-codex") {
     return { ok: true, action: "chunk-audit-codex", parsed: parseChunkAuditCodexOptions(args.slice(2)) };
   }
+  if (command === "chunk" && subcommand === "audit-claude") {
+    return { ok: true, action: "chunk-audit-claude", parsed: parseChunkAuditClaudeOptions(args.slice(2)) };
+  }
   if (command === "chunk" && subcommand === "review") {
     return { ok: true, action: "chunk-review", parsed: parseChunkReviewOptions(args.slice(2)) };
   }
@@ -269,8 +290,8 @@ function parseAuditSweepOptions(args) {
   return {
     ok: false,
     error: `${localize(
-      "nimicoding sweep audit refused: expected one of `plan`, `chunk dispatch`, `chunk audit-codex`, `chunk ingest`, `chunk review`, `chunk skip`, `ledger build`, `remediation-map build`, `remediation-map admit`, `finding resolve`, `closeout summary`, `status`, or `validate`.",
-      "nimicoding sweep audit 已拒绝：需要使用 `plan`、`chunk dispatch`、`chunk ingest`、`chunk review`、`chunk skip`、`ledger build`、`remediation-map build`、`remediation-map admit`、`finding resolve`、`closeout summary`、`status` 或 `validate`。",
+      "nimicoding sweep audit refused: expected one of `plan`, `chunk dispatch`, `chunk audit-codex`, `chunk audit-claude`, `chunk ingest`, `chunk review`, `chunk skip`, `ledger build`, `remediation-map build`, `remediation-map admit`, `finding resolve`, `closeout summary`, `status`, or `validate`.",
+      "nimicoding sweep audit 已拒绝：需要使用 `plan`、`chunk dispatch`、`chunk audit-codex`、`chunk audit-claude`、`chunk ingest`、`chunk review`、`chunk skip`、`ledger build`、`remediation-map build`、`remediation-map admit`、`finding resolve`、`closeout summary`、`status` 或 `validate`。",
     )}\n`,
   };
 }
@@ -303,6 +324,7 @@ export async function runAuditSweep(args) {
     "chunk-dispatch": dispatchAuditSweepChunk,
     "chunk-ingest": ingestAuditSweepChunk,
     "chunk-audit-codex": runCodexAuditSweepChunk,
+    "chunk-audit-claude": runClaudeAuditSweepChunk,
     "chunk-review": reviewAuditSweepChunk,
     "chunk-skip": skipAuditSweepChunk,
     "ledger-build": buildAuditSweepLedger,
@@ -328,6 +350,7 @@ export async function runAuditSweep(args) {
 
 export {
   parseAuditSweepOptions,
+  parseChunkAuditClaudeOptions,
   parseChunkAuditCodexOptions,
   parseChunkDispatchOptions,
   parseChunkIngestOptions,

package/cli/constants.mjs

@@ -1,4 +1,4 @@
-export const VERSION = "0.2.2";
+export const VERSION = "0.2.3";
 export const PACKAGE_NAME = "@nimiplatform/nimi-coding";
 export const BOOTSTRAP_CONTRACT_ID = "nimicoding.bootstrap";
 export const BOOTSTRAP_CONTRACT_VERSION = 1;

package/cli/help.mjs

@@ -53,6 +53,7 @@ export function helpText() {
     `  ${styleCommand("nimicoding sweep audit plan --root <dir> [--criteria <csv>] [--exclude <csv>] [--max-files <n>] [--sweep-id <id>] [--json]")}`,
     `  ${styleCommand("nimicoding sweep audit chunk dispatch --sweep-id <id> --chunk-id <chunk-id> --dispatched-at <iso8601> [--auditor <id>] [--json]")}`,
     `  ${styleCommand("nimicoding sweep audit chunk audit-codex --sweep-id <id> --chunk-id <chunk-id> --dispatched-at <iso8601> --verified-at <iso8601> --reviewed-at <iso8601> [--from-raw-output <ref>] [--timeout-ms <ms>] [--json]")}`,
+    `  ${styleCommand("nimicoding sweep audit chunk audit-claude --sweep-id <id> --chunk-id <chunk-id> --dispatched-at <iso8601> --verified-at <iso8601> --reviewed-at <iso8601> [--from-raw-output <ref>] [--timeout-ms <ms>] [--json]")}`,
     `  ${styleCommand("nimicoding sweep audit chunk ingest --sweep-id <id> --chunk-id <chunk-id> --from <json> --verified-at <iso8601> [--json]")}`,
     `  ${styleCommand("nimicoding sweep audit chunk review --sweep-id <id> --chunk-id <chunk-id> --verdict <pass|fail> --reviewed-at <iso8601> [--summary <text>] [--json]")}`,
     `  ${styleCommand("nimicoding sweep audit chunk skip --sweep-id <id> --chunk-id <chunk-id> --reason <text> --skipped-at <iso8601> [--json]")}`,

package/cli/lib/audit-sweep-runtime/audit-validity.mjs

@@ -12,6 +12,20 @@ function normalizeFileRef(value) {
   return typeof value === "string" ? value.replace(/\\/g, "/") : null;
 }
 
+function isNonImplementationContextRef(ref) {
+  if (typeof ref !== "string") {
+    return false;
+  }
+  const normalized = ref.replace(/\\/g, "/");
+  return /(^|\/)AGENTS\.md$/u.test(normalized)
+    || /(^|\/)README\.md$/u.test(normalized)
+    || normalized.startsWith(".nimi/spec/")
+    || normalized.startsWith(".nimi/contracts/")
+    || normalized.startsWith(".nimi/methodology/")
+    || normalized.startsWith("package://@nimiplatform/nimi-coding/methodology/")
+    || normalized.startsWith("package://@nimiplatform/nimi-coding/spec/");
+}
+
 const REQUIRED_P0P1_RULE_CHECK_IDS = [
   "fail_open_or_pseudo_success",
   "partial_coverage_misrepresented_as_complete",
@@ -111,7 +125,7 @@ function looksSyntheticNoFindingEvidence(evidence) {
 
 export function p0p1ImplementationRefsForChunk(chunk) {
   if (chunk?.planning_basis === "spec_authority") {
-    return normalizeRefs(chunk?.evidence_inventory);
+    return normalizeRefs(chunk?.evidence_inventory).filter((ref) => !isNonImplementationContextRef(ref));
   }
   return normalizeRefs(chunk?.files);
 }
@@ -155,6 +169,7 @@ export function buildAuditValidityForEvidence(chunk, evidence) {
   const evidenceInventorySet = new Set(evidenceInventory);
   const p0p1ImplementationRefSet = new Set(p0p1ImplementationRefs);
   const hasImplementationInventory = evidenceInventory.length > 0;
+  const hasP0P1ImplementationInventory = p0p1ImplementationRefs.length > 0;
   const findingsEmpty = findings.length === 0;
   const p0p1RecallRequired = criteriaEnableP0P1Recall(chunk?.criteria);
   const hasP0P1Finding = findings.some((finding) => ["critical", "high"].includes(finding?.severity));
@@ -218,7 +233,7 @@ export function buildAuditValidityForEvidence(chunk, evidence) {
     const p0p1NegativeReasoning = typeof evidence?.coverage?.p0p1_negative_reasoning === "string"
       && evidence.coverage.p0p1_negative_reasoning.trim().length > 0;
     const p0p1EvidenceRefs = normalizeRefs(evidence?.coverage?.p0p1_evidence_refs);
-    const p0p1ImplementationNotApplicable = !hasImplementationInventory
+    const p0p1ImplementationNotApplicable = !hasP0P1ImplementationInventory
       && typeof evidence?.coverage?.p0p1_implementation_not_applicable_reason === "string"
       && evidence.coverage.p0p1_implementation_not_applicable_reason.trim().length > 0;
     const invalidP0P1EvidenceRefs = p0p1EvidenceRefs.filter((ref) => !p0p1ImplementationRefSet.has(ref));
@@ -248,7 +263,7 @@ export function buildAuditValidityForEvidence(chunk, evidence) {
         "P0/P1 no-finding evidence appears to be generated by a script or bulk template rather than a semantic audit.",
       ));
     }
-    if (hasImplementationInventory) {
+    if (hasP0P1ImplementationInventory) {
       if (!hasSemanticAuditorProvenance(evidence)) {
         blockers.push(diagnostic(
           "auditor_provenance_missing",

package/cli/lib/audit-sweep-runtime/claude-auditor.mjs

@@ -0,0 +1,647 @@
+import { spawn } from "node:child_process";
+import { mkdir, readFile, writeFile } from "node:fs/promises";
+import path from "node:path";
+
+import {
+  appendRunEvent,
+  artifactPath,
+  artifactRef,
+  chunkRef,
+  ensureIsoTimestamp,
+  inputError,
+  loadChunk,
+  loadPlan,
+  packetRef,
+  resolveInsideProject,
+  safeSweepId,
+  withAuditSweepMutationLock,
+  writeYamlRef,
+} from "./common.mjs";
+import { buildAuditorPacket, reviewAuditSweepChunk, updatePlanChunk } from "./chunks.mjs";
+import { extractCodexAuditorEvidenceFile, P0P1_RULE_CHECK_IDS } from "./codex-auditor-evidence.mjs";
+import { ingestAuditSweepChunk } from "./ingest.mjs";
+import { budgetBlockForChunk } from "./risk-budget.mjs";
+import { validateAuditSweepArtifacts } from "./validators.mjs";
+
+const CLAUDE_AUDITOR_DEFAULT = "claude_semantic_auditor";
+const DEFAULT_CLAUDE_TIMEOUT_MS = 10 * 60 * 1000;
+const CLAUDE_TIMEOUT_KILL_GRACE_MS = 3000;
+const CLAUDE_RAW_SUFFIX = ".claude-raw.json";
+const CLAUDE_EVIDENCE_SUFFIX = ".claude-evidence.json";
+const CLAUDE_READONLY_ALLOWED_TOOLS = ["Read", "Grep", "Glob"];
+
+function claudeOutputRef(sweepId, chunkId, suffix) {
+  return artifactRef("evidence_refs", sweepId, "claude-output", `${chunkId}${suffix}`);
+}
+
+function claudeRunToken(timestamp) {
+  return timestamp.replace(/[^0-9A-Za-z]+/g, "-").replace(/^-+|-+$/g, "");
+}
+
+function projectRefForPath(projectRoot, absolutePath) {
+  return path.relative(projectRoot, absolutePath).replace(/\\/g, "/");
+}
+
+function claudePrompt({ packet, auditorPacketRef, rawRef, sessionRef }) {
+  return [
+    "OUTPUT FORMAT (HARD REQUIREMENT, READ FIRST):",
+    "Your reply MUST be exactly one JSON object. The first character of your reply MUST be `{` and the last character MUST be `}`. No prose, no apology, no markdown fences, no \"Audit complete\" summary, no commentary. Even when no findings are emitted, you MUST still emit the full JSON object (with findings: [] and the required negative_reasoning fields). A reply that is not a single JSON object will be rejected and the chunk will be marked failed.",
+    "",
+    "You are the Claude semantic auditor for a nimicoding sweep audit chunk.",
+    "Run in read-only, audit-only mode. Do not edit files. Do not implement product fixes.",
+    `Read the auditor packet from ${auditorPacketRef} and inspect the chunk authority refs and implementation evidence semantically.`,
+    "Do not rely on this prompt as the chunk inventory; the packet file is the source for files, authority_refs, selected_implementation_refs, audit_depth, retrieval_prepass, and the raw semantic output contract.",
+    "Scripts may not generate findings or no-findings; your conclusions must come from your own inspection.",
+    "The packet is compact: evidence_inventory/selected_implementation_refs is the manager-selected implementation slice, not the full manager-owned inventory.",
+    "Do not ask for, reconstruct, or echo the omitted full evidence_inventory. audit-claude will mechanically fill coverage.files, coverage.authority_refs, and full coverage.evidence_files from manager-owned chunk state.",
+    "You only author semantic audit content: authority_outcomes reasoning/status, inspected_implementation_refs, P0/P1 rule checks, p0p1_negative_reasoning when applicable, and findings.",
+    "For each authority outcome, set authority_ref to the packet authority_ref and put inspected implementation refs in inspected_implementation_refs or implementation_evidence_refs.",
+    "Every implementation ref you cite must be an exact file ref from packet.selected_implementation_refs / packet.evidence_inventory.",
+    "Never put AGENTS.md, README.md, spec files, authority refs, methodology docs, or governance docs in inspected_implementation_refs, implementation_evidence_refs, coverage.p0p1_evidence_refs, findings[].implementation_refs, or coverage.p0p1_rule_checks[].implementation_refs; even if packet.selected_implementation_refs includes them, treat them as context only.",
+    "If only context/governance/authority documents are available after that exclusion, use status=\"not_applicable\" for P0/P1 rule checks and explain the lack of implementation surface in negative_reasoning.",
+    "If a governance or authority document influenced reasoning, mention it only in negative_reasoning/description text, not in any implementation_refs array.",
+    "Use packet.audit_depth to size your inspection: deep means inspect the selected slice thoroughly, normal means focused semantic inspection, shallow means audit generated/table/index invariants from the selected slice without expanding the omitted inventory.",
+    "Return exactly one JSON object and nothing else. Do not wrap it in markdown.",
+    "The JSON object must have exactly these top-level fields: chunk_id, auditor, coverage, findings.",
+    `Set auditor.id to ${JSON.stringify(packet.auditor)}.`,
+    `Set auditor.mode to "claude_semantic_audit".`,
+    `Set auditor.methodology_ref to "package://@nimiplatform/nimi-coding/methodology/audit-sweep-p0p1-recall.yaml".`,
+    "Put P0/P1 rule checks only at coverage.p0p1_rule_checks.",
+    `Set auditor.provenance.kind to "semantic_audit".`,
+    `Set auditor.provenance.packet_ref to ${JSON.stringify(packetRef(packet.sweep_id, packet.chunk_id))}.`,
+    `Set auditor.provenance.session_ref to ${JSON.stringify(sessionRef)}.`,
+    `Set auditor.provenance.transcript_ref to ${JSON.stringify(rawRef)}.`,
+    "coverage.authority_outcomes must contain one outcome per authority_ref.",
+    `coverage.p0p1_rule_checks must contain exactly these ids and no aliases: ${P0P1_RULE_CHECK_IDS.join(", ")}.`,
+    "Each coverage.authority_outcomes[] object must include negative_reasoning when no critical/high finding is emitted for the chunk.",
+    "Each coverage.p0p1_rule_checks[] object must include id, status, implementation_refs, and negative_reasoning.",
+    "Use status=\"checked\" when implementation evidence was inspected; checked rules must cite at least one in-scope implementation ref.",
+    "Use status=\"not_applicable\" only when the rule truly has no implementation surface, and explain that in negative_reasoning.",
+    "When the packet evidence_inventory is empty and no critical/high finding is emitted, include coverage.p0p1_implementation_not_applicable_reason with the chunk-specific reason implementation refs are not applicable.",
+    "When findings is an empty array, you MUST include coverage.p0p1_negative_reasoning (string) explaining why no critical/high finding was emitted across all priority defect classes. Omitting this field will reject the audit.",
+    "Output MUST be exactly one JSON object. Do not prepend prose. Do not wrap in ```json fences. Do not append commentary. The first character MUST be `{` and the last character MUST be `}`.",
+    "Do not use priority defect class aliases such as authority_boundary_bypass, security_or_permission_bypass, destructive_action_without_gate, package_boundary_violation, or unadmitted_truth_or_evidence_source as rule check ids.",
+    "Do not emit coverage.files, coverage.authority_refs, or coverage.evidence_files; those fields are manager-owned and will be populated from the packet.",
+    "Do not emit authority_outcomes[].evidence_refs; it is manager-owned and will be built from authority_ref plus inspected implementation refs.",
+    "Every finding must include severity, category, impact, title, description, and location.file. Set severity to critical or high for P0/P1 findings. Set finding.category to one of the exact P0/P1 rule ids when the finding maps to a P0/P1 rule; do not use rule_id as the primary finding category field.",
+    "Set findings[].location.file to an exact packet.selected_implementation_refs file for implementation findings. For authority-only findings with no implementation surface, set findings[].location.file to the in-scope authority_ref that contains the defect.",
+    "authority_outcomes[].status is an audit-process enum only: audited, blocked, or not_applicable.",
+    "Use status=audited when the authority/evidence was inspected, even if you discovered violations.",
+    "When an authority outcome uses status=blocked or status=not_applicable, include reason with the chunk-specific blocker or not-applicable explanation.",
+    "Do not use compliance verdicts such as violated, pass, fail, compliant, or non_compliant in authority_outcomes[].status; put violations in findings.",
+    "For no-finding chunks, include chunk-specific inspected implementation refs, P0/P1 rule checks, and negative reasoning.",
+  ].join("\n");
+}
+
+function stripCodeFence(text) {
+  const trimmed = text.trim();
+  if (!trimmed.startsWith("```")) {
+    return text;
+  }
+  const fenceEnd = trimmed.indexOf("\n");
+  if (fenceEnd < 0) {
+    return text;
+  }
+  const inside = trimmed.slice(fenceEnd + 1);
+  const closing = inside.lastIndexOf("```");
+  if (closing < 0) {
+    return inside;
+  }
+  return inside.slice(0, closing);
+}
+
+function extractFirstJsonObject(rawText) {
+  const candidate = stripCodeFence(rawText);
+  const start = candidate.indexOf("{");
+  if (start < 0) {
+    return null;
+  }
+  let depth = 0;
+  let inString = false;
+  let escaped = false;
+  for (let index = start; index < candidate.length; index += 1) {
+    const char = candidate[index];
+    if (inString) {
+      if (escaped) {
+        escaped = false;
+      } else if (char === "\\") {
+        escaped = true;
+      } else if (char === "\"") {
+        inString = false;
+      }
+      continue;
+    }
+    if (char === "\"") {
+      inString = true;
+      continue;
+    }
+    if (char === "{") {
+      depth += 1;
+    } else if (char === "}") {
+      depth -= 1;
+      if (depth === 0) {
+        return candidate.slice(start, index + 1);
+      }
+    }
+  }
+  return null;
+}
+
+function normalizeClaudeRawOutput(stdout) {
+  const trimmed = (stdout ?? "").trim();
+  if (!trimmed) {
+    return trimmed;
+  }
+  try {
+    const parsed = JSON.parse(trimmed);
+    if (parsed?.type === "result" && parsed?.structured_output && typeof parsed.structured_output === "object") {
+      return `${JSON.stringify(parsed.structured_output, null, 2)}\n`;
+    }
+    if (parsed?.type === "result" && typeof parsed.result === "string" && parsed.result.trim()) {
+      return normalizeClaudeRawOutput(parsed.result);
+    }
+    return trimmed;
+  } catch {
+    // Fall through to extraction below.
+  }
+  const extracted = extractFirstJsonObject(trimmed);
+  if (extracted) {
+    try {
+      JSON.parse(extracted);
+      return extracted;
+    } catch {
+      return extracted;
+    }
+  }
+  return trimmed;
+}
+
+function terminateProcess(child, signal) {
+  try {
+    if (process.platform !== "win32" && child.pid) {
+      process.kill(-child.pid, signal);
+      return;
+    }
+  } catch {
+    // Fall through to direct child termination.
+  }
+  try {
+    child.kill(signal);
+  } catch {
+    // Process may already have exited.
+  }
+}
+
+const CLAUDE_AUDIT_OUTPUT_SCHEMA = JSON.stringify({
+  type: "object",
+  properties: {
+    chunk_id: { type: "string" },
+    auditor: { type: "object" },
+    coverage: { type: "object" },
+    findings: { type: "array" },
+  },
+  required: ["chunk_id", "auditor", "coverage", "findings"],
+  additionalProperties: false,
+});
+
+function runClaudeExec({ projectRoot, claudeBin, rawOutputPath, prompt, timeoutMs }) {
+  return new Promise((resolve) => {
+    const boundedTimeoutMs = Number.isInteger(timeoutMs) && timeoutMs > 0 ? timeoutMs : DEFAULT_CLAUDE_TIMEOUT_MS;
+    let timedOut = false;
+    let settled = false;
+    let killTimer = null;
+    const child = spawn(claudeBin, [
+      "-p",
+      "--output-format", "json",
+      "--permission-mode", "bypassPermissions",
+      "--allowedTools", CLAUDE_READONLY_ALLOWED_TOOLS.join(","),
+      "--disallowedTools", "Bash,Edit,Write,NotebookEdit",
+      "--no-session-persistence",
+      "--add-dir", projectRoot,
+      "--json-schema", CLAUDE_AUDIT_OUTPUT_SCHEMA,
+    ], {
+      cwd: projectRoot,
+      stdio: ["pipe", "pipe", "pipe"],
+      detached: process.platform !== "win32",
+    });
+
+    const timeoutTimer = setTimeout(() => {
+      timedOut = true;
+      terminateProcess(child, "SIGTERM");
+      killTimer = setTimeout(() => terminateProcess(child, "SIGKILL"), CLAUDE_TIMEOUT_KILL_GRACE_MS);
+    }, boundedTimeoutMs);
+
+    let stdout = "";
+    let stderr = "";
+    child.stdout.on("data", (chunk) => {
+      stdout += chunk.toString();
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk.toString();
+    });
+    child.on("error", async (error) => {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      clearTimeout(timeoutTimer);
+      if (killTimer) {
+        clearTimeout(killTimer);
+      }
+      resolve({ ok: false, exitCode: 1, timedOut, timeoutMs: boundedTimeoutMs, stdout, stderr: `${stderr}${error.message}` });
+    });
+    child.on("close", async (exitCode, signal) => {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      clearTimeout(timeoutTimer);
+      if (killTimer) {
+        clearTimeout(killTimer);
+      }
+      try {
+        await writeFile(rawOutputPath, normalizeClaudeRawOutput(stdout));
+      } catch {
+        // best effort; downstream extraction will report missing file.
+      }
+      resolve({ ok: exitCode === 0 && !timedOut, exitCode, signal, timedOut, timeoutMs: boundedTimeoutMs, stdout, stderr });
+    });
+    child.stdin.end(prompt);
+  });
+}
+
+async function prepareClaudeAuditPacket(projectRoot, options) {
+  return withAuditSweepMutationLock(projectRoot, options.sweepId, "chunk claude audit prepare", async () => {
+    const planResult = await loadPlan(projectRoot, options.sweepId);
+    if (!planResult.ok) {
+      return inputError(planResult.error);
+    }
+    const chunkResult = await loadChunk(projectRoot, options.sweepId, options.chunkId);
+    if (!chunkResult.ok) {
+      return inputError(chunkResult.error);
+    }
+    if (chunkResult.chunk.state === "skipped") {
+      return inputError("nimicoding sweep audit refused: skipped chunks cannot be audited through Claude.\n");
+    }
+    const budgetBlock = budgetBlockForChunk(planResult.plan, chunkResult.chunk);
+    if (budgetBlock && chunkResult.chunk.state !== "frozen") {
+      return inputError(`nimicoding sweep audit refused: ${budgetBlock}; build or admit remediation bundles before continuing discovery.\n`);
+    }
+
+    const dispatch = {
+      auditor: options.auditor ?? CLAUDE_AUDITOR_DEFAULT,
+      criteria: chunkResult.chunk.criteria,
+      files: chunkResult.chunk.files,
+      authority_refs: chunkResult.chunk.authority_refs ?? chunkResult.chunk.files,
+      host_authority_projection_refs: chunkResult.chunk.host_authority_projection_refs ?? [],
+      evidence_roots: chunkResult.chunk.evidence_roots ?? [],
+      admitted_evidence_roots: chunkResult.chunk.admitted_evidence_roots ?? [],
+      evidence_inventory: chunkResult.chunk.evidence_inventory ?? [],
+      evidence_inventory_status: chunkResult.chunk.evidence_inventory_status ?? null,
+      evidence_inventory_empty_reason: chunkResult.chunk.evidence_inventory_empty_reason ?? null,
+      execution_owner: "nimicoding_claude_auditor_path",
+    };
+    const packet = buildAuditorPacket(options.sweepId, chunkResult.chunk, dispatch.auditor, options.dispatchedAt, planResult.plan, { projectRoot });
+    packet.execution_owner = "nimicoding_claude_auditor_path";
+    packet.raw_output_contract = {
+      raw_output_is_transcript_ref: true,
+      raw_output_must_be_exact_json: true,
+      schema_drift_rejected_fail_closed: true,
+      scripts_may_only_extract_schema_conformant_evidence: true,
+    };
+
+    const auditorPacketRef = packetRef(options.sweepId, options.chunkId);
+    const updatedChunk = {
+      ...chunkResult.chunk,
+      state: "dispatched",
+      lifecycle: {
+        ...chunkResult.chunk.lifecycle,
+        dispatched_at: options.dispatchedAt,
+        ingested_at: null,
+        reviewed_at: null,
+        frozen_at: null,
+        failed_at: null,
+        skipped_at: null,
+      },
+      dispatch,
+      evidence_ref: null,
+      finding_count: 0,
+      audit_validity: null,
+      review: null,
+      failure: null,
+      updated_at: options.dispatchedAt,
+    };
+
+    await writeYamlRef(projectRoot, auditorPacketRef, packet);
+    await writeYamlRef(projectRoot, chunkResult.chunkRef, updatedChunk);
+    await writeYamlRef(projectRoot, planResult.planRef, {
+      ...updatePlanChunk(planResult.plan, options.chunkId, {
+        state: "dispatched",
+        evidence_ref: null,
+        finding_count: 0,
+        audit_validity: null,
+        failure: null,
+      }),
+      updated_at: options.dispatchedAt,
+    });
+    const runLedgerRef = await appendRunEvent(projectRoot, options.sweepId, {
+      event_type: "chunk_claude_audit_prepared",
+      chunk_id: options.chunkId,
+      chunk_ref: chunkRef(options.sweepId, options.chunkId),
+      packet_ref: auditorPacketRef,
+      auditor: dispatch.auditor,
+    });
+    return {
+      ok: true,
+      chunk: updatedChunk,
+      packet,
+      packetRef: auditorPacketRef,
+      chunkRef: chunkResult.chunkRef,
+      runLedgerRef,
+    };
+  });
+}
+
+async function markClaudeAuditFailed(projectRoot, options) {
+  return withAuditSweepMutationLock(projectRoot, options.sweepId, "chunk claude audit fail", async () => {
+    const planResult = await loadPlan(projectRoot, options.sweepId);
+    if (!planResult.ok) {
+      return inputError(planResult.error);
+    }
+    const chunkResult = await loadChunk(projectRoot, options.sweepId, options.chunkId);
+    if (!chunkResult.ok) {
+      return inputError(chunkResult.error);
+    }
+    const failure = {
+      reason: options.reason,
+      failed_at: options.failedAt,
+      packet_ref: options.packetRef,
+      transcript_ref: options.transcriptRef,
+      phase: options.phase,
+    };
+    const updatedChunk = {
+      ...chunkResult.chunk,
+      state: "failed",
+      lifecycle: {
+        ...chunkResult.chunk.lifecycle,
+        failed_at: options.failedAt,
+        skipped_at: null,
+      },
+      failure,
+      updated_at: options.failedAt,
+    };
+    await writeYamlRef(projectRoot, chunkResult.chunkRef, updatedChunk);
+    await writeYamlRef(projectRoot, planResult.planRef, {
+      ...updatePlanChunk(planResult.plan, options.chunkId, {
+        state: "failed",
+        failure,
+      }),
+      updated_at: options.failedAt,
+    });
+    const runLedgerRef = await appendRunEvent(projectRoot, options.sweepId, {
+      event_type: "chunk_failed",
+      chunk_id: options.chunkId,
+      chunk_ref: chunkResult.chunkRef,
+      packet_ref: options.packetRef,
+      transcript_ref: options.transcriptRef,
+      summary: options.reason,
+      phase: options.phase,
+    });
+    return {
+      ok: true,
+      state: "failed",
+      chunkRef: chunkResult.chunkRef,
+      runLedgerRef,
+    };
+  });
+}
+
+export async function runClaudeAuditSweepChunk(projectRoot, options) {
+  const sweepId = safeSweepId(options.sweepId);
+  if (!sweepId || typeof options.chunkId !== "string") {
+    return inputError("nimicoding sweep audit refused: --sweep-id and --chunk-id are required.\n");
+  }
+  const dispatchedAtError = ensureIsoTimestamp(options.dispatchedAt, "--dispatched-at");
+  if (dispatchedAtError) {
+    return dispatchedAtError;
+  }
+  const verifiedAtError = ensureIsoTimestamp(options.verifiedAt, "--verified-at");
+  if (verifiedAtError) {
+    return verifiedAtError;
+  }
+  const reviewedAtError = ensureIsoTimestamp(options.reviewedAt, "--reviewed-at");
+  if (reviewedAtError) {
+    return reviewedAtError;
+  }
+
+  const prepare = await prepareClaudeAuditPacket(projectRoot, {
+    ...options,
+    sweepId,
+  });
+  if (!prepare.ok) {
+    return prepare;
+  }
+
+  const outputSuffix = `.${claudeRunToken(options.dispatchedAt)}`;
+  let rawRef = claudeOutputRef(sweepId, options.chunkId, `${outputSuffix}${CLAUDE_RAW_SUFFIX}`);
+  const evidenceCandidateRef = claudeOutputRef(sweepId, options.chunkId, `${outputSuffix}${CLAUDE_EVIDENCE_SUFFIX}`);
+  let rawOutputPath = artifactPath(projectRoot, rawRef);
+  let sessionRef = `claude-exec:${sweepId}:${options.chunkId}:${options.dispatchedAt}`;
+  if (options.fromRawOutput) {
+    const replaySource = resolveInsideProject(projectRoot, options.fromRawOutput, "--from-raw-output");
+    if (!replaySource.ok) {
+      await markClaudeAuditFailed(projectRoot, {
+        sweepId,
+        chunkId: options.chunkId,
+        failedAt: options.verifiedAt,
+        packetRef: prepare.packetRef,
+        transcriptRef: rawRef,
+        phase: "raw_output_replay",
+        reason: replaySource.error.trim(),
+      });
+      return inputError(replaySource.error);
+    }
+    try {
+      const replayText = await readFile(replaySource.absolutePath, "utf8");
+      await mkdir(path.dirname(rawOutputPath), { recursive: true });
+      await writeFile(rawOutputPath, normalizeClaudeRawOutput(replayText));
+      sessionRef = `claude-replay:${sweepId}:${options.chunkId}:${options.dispatchedAt}:${projectRefForPath(projectRoot, replaySource.absolutePath)}`;
+    } catch (error) {
+      const reason = `Claude replay raw output could not be read or normalized: ${error.message}`;
+      await markClaudeAuditFailed(projectRoot, {
+        sweepId,
+        chunkId: options.chunkId,
+        failedAt: options.verifiedAt,
+        packetRef: prepare.packetRef,
+        transcriptRef: rawRef,
+        phase: "raw_output_replay",
+        reason,
+      });
+      return inputError(`nimicoding sweep audit refused: ${reason}\n`);
+    }
+  } else {
+    await mkdir(path.dirname(rawOutputPath), { recursive: true });
+    const runResult = await runClaudeExec({
+      projectRoot,
+      claudeBin: options.claudeBin ?? "claude",
+      rawOutputPath,
+      prompt: claudePrompt({
+        packet: prepare.packet,
+        auditorPacketRef: prepare.packetRef,
+        rawRef,
+        sessionRef,
+      }),
+      timeoutMs: options.timeoutMs,
+    });
+    if (!runResult.ok) {
+      const failureReason = runResult.timedOut
+        ? `Claude auditor execution timed out after ${runResult.timeoutMs}ms.`
+        : `Claude auditor execution failed with exit code ${runResult.exitCode ?? "unknown"}.`;
+      await markClaudeAuditFailed(projectRoot, {
+        sweepId,
+        chunkId: options.chunkId,
+        failedAt: options.verifiedAt,
+        packetRef: prepare.packetRef,
+        transcriptRef: rawRef,
+        phase: "claude_execution",
+        reason: failureReason,
+      });
+      await appendRunEvent(projectRoot, sweepId, {
+        event_type: "chunk_claude_audit_failed",
+        chunk_id: options.chunkId,
+        chunk_ref: prepare.chunkRef,
+        packet_ref: prepare.packetRef,
+        transcript_ref: rawRef,
+        exit_code: runResult.exitCode,
+        timed_out: runResult.timedOut,
+        timeout_ms: runResult.timeoutMs,
+        stderr_tail: runResult.stderr.slice(-2000),
+      });
+      return inputError(`nimicoding sweep audit refused: ${failureReason}\n`);
+    }
+  }
+
+  const extracted = await extractCodexAuditorEvidenceFile(projectRoot, {
+    rawOutputPath,
+    evidenceRef: evidenceCandidateRef,
+    chunk: prepare.chunk,
+    packetRef: prepare.packetRef,
+    sessionRef,
+    transcriptRef: rawRef,
+    auditorId: options.auditor ?? CLAUDE_AUDITOR_DEFAULT,
+    auditorMode: "claude_semantic_audit",
+  });
+  if (!extracted.ok) {
+    await markClaudeAuditFailed(projectRoot, {
+      sweepId,
+      chunkId: options.chunkId,
+      failedAt: options.verifiedAt,
+      packetRef: prepare.packetRef,
+      transcriptRef: rawRef,
+      phase: "auditor_output_validation",
+      reason: `Claude auditor output rejected: ${extracted.error}.`,
+    });
+    await appendRunEvent(projectRoot, sweepId, {
+      event_type: "chunk_claude_auditor_output_rejected",
+      chunk_id: options.chunkId,
+      chunk_ref: prepare.chunkRef,
+      packet_ref: prepare.packetRef,
+      transcript_ref: rawRef,
+      reason: extracted.error,
+    });
+    return inputError(`nimicoding sweep audit refused: Claude auditor output rejected for ${options.chunkId}: ${extracted.error}.\n`);
+  }
+
+  await appendRunEvent(projectRoot, sweepId, {
+    event_type: "chunk_claude_auditor_output_accepted",
+    chunk_id: options.chunkId,
+    chunk_ref: prepare.chunkRef,
+    packet_ref: prepare.packetRef,
+    transcript_ref: rawRef,
+    evidence_candidate_ref: evidenceCandidateRef,
+    audit_validity: extracted.auditValidity,
+  });
+
+  const ingest = await ingestAuditSweepChunk(projectRoot, {
+    sweepId,
+    chunkId: options.chunkId,
+    fromPath: evidenceCandidateRef,
+    verifiedAt: options.verifiedAt,
+  });
+  if (!ingest.ok) {
+    await markClaudeAuditFailed(projectRoot, {
+      sweepId,
+      chunkId: options.chunkId,
+      failedAt: options.verifiedAt,
+      packetRef: prepare.packetRef,
+      transcriptRef: rawRef,
+      phase: "chunk_ingest",
+      reason: `Claude auditor evidence ingest rejected: ${ingest.error ?? "unknown ingest failure"}.`,
+    });
+    return inputError(`nimicoding sweep audit refused: Claude auditor evidence ingest rejected for ${options.chunkId}: ${ingest.error ?? "unknown ingest failure"}.\n`);
+  }
+
+  const review = await reviewAuditSweepChunk(projectRoot, {
+    sweepId,
+    chunkId: options.chunkId,
+    verdict: "pass",
+    reviewedAt: options.reviewedAt,
+    reviewer: options.reviewer ?? "nimicoding_claude_auditor_path",
+    summary: options.summary ?? `Claude semantic audit accepted from ${rawRef}.`,
+  });
+  if (!review.ok) {
+    await markClaudeAuditFailed(projectRoot, {
+      sweepId,
+      chunkId: options.chunkId,
+      failedAt: options.reviewedAt,
+      packetRef: prepare.packetRef,
+      transcriptRef: rawRef,
+      phase: "chunk_review",
+      reason: `Claude auditor evidence review rejected: ${review.error ?? "unknown review failure"}.`,
+    });
+    return inputError(`nimicoding sweep audit refused: Claude auditor evidence review rejected for ${options.chunkId}: ${review.error ?? "unknown review failure"}.\n`);
+  }
+
+  const validation = await validateAuditSweepArtifacts(projectRoot, {
+    sweepId,
+    scope: "chunks",
+  });
+  const chunkScopedFailures = (validation.checks ?? []).filter((entry) => {
+    if (entry.ok) {
+      return false;
+    }
+    const id = entry.id ?? "";
+    return id.includes(options.chunkId);
+  });
+  if (chunkScopedFailures.length > 0) {
+    const failureSummary = chunkScopedFailures.map((entry) => `${entry.id}: ${entry.reason}`).join("; ");
+    await markClaudeAuditFailed(projectRoot, {
+      sweepId,
+      chunkId: options.chunkId,
+      failedAt: options.reviewedAt,
+      packetRef: prepare.packetRef,
+      transcriptRef: rawRef,
+      phase: "post_chunk_validation",
+      reason: `Post-Claude chunk validation failed: ${failureSummary}`,
+    });
+    return inputError(`nimicoding sweep audit refused: post-Claude chunk validation failed for ${options.chunkId}: ${failureSummary}.\n`);
+  }
+
+  return {
+    ok: true,
+    exitCode: 0,
+    sweepId,
+    chunkId: options.chunkId,
+    state: "frozen",
+    packetRef: prepare.packetRef,
+    transcriptRef: rawRef,
+    extractedEvidenceRef: evidenceCandidateRef,
+    evidenceRef: ingest.evidenceRef,
+    findingsRef: ingest.findingsRef,
+    findingCount: ingest.findingCount,
+    addedCount: ingest.addedCount,
+    duplicateCount: ingest.duplicateCount,
+    reviewRef: review.runLedgerRef,
+    validationScope: "chunks",
+  };
+}

package/cli/lib/audit-sweep-runtime/codex-auditor-evidence.mjs

@@ -183,7 +183,7 @@ function isNonImplementationContextRef(ref) {
 }
 
 function stripNonImplementationContextRefs(refs, evidenceInventorySet) {
-  return refs.filter((ref) => evidenceInventorySet.has(ref) || !isNonImplementationContextRef(ref));
+  return refs.filter((ref) => !isNonImplementationContextRef(ref));
 }
 
 function normalizeFindingEnvelope(finding, evidenceInventorySet, authorityRefSet = new Set()) {
@@ -412,6 +412,7 @@ function normalizeOutcome(rawOutcome, index, authorityRef, evidenceInventorySet)
     ...normalizeRefs(rawOutcome.inspected_implementation_refs),
     ...normalizeRefs(rawOutcome.implementation_evidence_refs),
   ]);
+  const contextOnlyRefs = inspectedImplementationRefs.filter((ref) => isNonImplementationContextRef(ref));
   const implementationRefs = stripNonImplementationContextRefs(inspectedImplementationRefs, evidenceInventorySet);
   const invalidImplementationRefs = refsOutsideSet(implementationRefs, evidenceInventorySet);
   if (invalidImplementationRefs.length > 0) {
@@ -438,6 +439,9 @@ function normalizeOutcome(rawOutcome, index, authorityRef, evidenceInventorySet)
   if (typeof rawOutcome.implementation_not_applicable_reason === "string" && rawOutcome.implementation_not_applicable_reason.trim()) {
     normalized.implementation_not_applicable_reason = rawOutcome.implementation_not_applicable_reason.trim();
   }
+  if (!normalized.implementation_not_applicable_reason && implementationRefs.length === 0 && contextOnlyRefs.length > 0) {
+    normalized.implementation_not_applicable_reason = `Only non-implementation context refs were cited: ${uniqueRefs(contextOnlyRefs).join(", ")}.`;
+  }
   if (!normalized.reason && status === "not_applicable" && normalized.implementation_not_applicable_reason) {
     normalized.reason = normalized.implementation_not_applicable_reason;
   }
@@ -476,10 +480,17 @@ function normalizeRuleChecks(rawRuleChecks, evidenceInventorySet, authorityRefSe
     if (typeof rawCheck.negative_reasoning !== "string" || !rawCheck.negative_reasoning.trim()) {
       return { ok: false, error: `coverage.p0p1_rule_checks[${index}].negative_reasoning is required` };
     }
-    const rawRefs = stripNonImplementationContextRefs(uniqueRefs(normalizeRefs(rawCheck.implementation_refs)), evidenceInventorySet);
+    const inputRefs = uniqueRefs(normalizeRefs(rawCheck.implementation_refs));
+    const rawRefs = stripNonImplementationContextRefs(inputRefs, evidenceInventorySet);
     const refs = rawRefs.filter((ref) => evidenceInventorySet.has(ref));
     const invalidRawRefs = rawRefs.filter((ref) => !evidenceInventorySet.has(ref) && !authorityRefSet.has(ref));
-    if (rawCheck.status === "checked" && refs.length === 0) {
+    const status = rawCheck.status === "checked"
+      && refs.length === 0
+      && inputRefs.length > 0
+      && inputRefs.every((ref) => isNonImplementationContextRef(ref))
+      ? "not_applicable"
+      : rawCheck.status;
+    if (status === "checked" && refs.length === 0) {
       return { ok: false, error: `coverage.p0p1_rule_checks[${index}].implementation_refs is required when status is checked` };
     }
     if (invalidRawRefs.length > 0) {
@@ -491,7 +502,7 @@ function normalizeRuleChecks(rawRuleChecks, evidenceInventorySet, authorityRefSe
     implementationRefs.push(...refs);
     ruleChecks.push({
       id,
-      status: rawCheck.status,
+      status,
       implementation_refs: refs,
       negative_reasoning: rawCheck.negative_reasoning.trim(),
     });
@@ -524,6 +535,7 @@ function normalizeCodexSemanticOutput(rawOutput, chunk, options) {
   }
 
   const evidenceInventory = chunk.planning_basis === "spec_authority" ? (chunk.evidence_inventory ?? []) : (chunk.files ?? []);
+  const p0p1ImplementationInventory = evidenceInventory.filter((ref) => !isNonImplementationContextRef(ref));
   const evidenceInventorySet = new Set(evidenceInventory);
   const authorityRefSet = new Set(authorityRefs);
   const outcomes = [];
@@ -561,7 +573,7 @@ function normalizeCodexSemanticOutput(rawOutput, chunk, options) {
     chunk_id: chunk.chunk_id,
     auditor: {
       id: typeof rawOutput.auditor?.id === "string" && rawOutput.auditor.id.trim() ? rawOutput.auditor.id : options.auditorId,
-      mode: "codex_semantic_audit",
+      mode: options.auditorMode ?? "codex_semantic_audit",
       methodology_ref: "package://@nimiplatform/nimi-coding/methodology/audit-sweep-p0p1-recall.yaml",
       provenance: {
         kind: "semantic_audit",
@@ -591,12 +603,14 @@ function normalizeCodexSemanticOutput(rawOutput, chunk, options) {
   if (typeof rawOutput.coverage.p0p1_implementation_not_applicable_reason === "string" && rawOutput.coverage.p0p1_implementation_not_applicable_reason.trim()) {
     evidence.coverage.p0p1_implementation_not_applicable_reason = rawOutput.coverage.p0p1_implementation_not_applicable_reason.trim();
   }
-  if (!evidence.coverage.p0p1_implementation_not_applicable_reason && evidenceInventory.length === 0) {
+  if (!evidence.coverage.p0p1_implementation_not_applicable_reason && p0p1ImplementationInventory.length === 0) {
     const outcomeReasons = outcomes
       .map((outcome) => outcome.implementation_not_applicable_reason)
       .filter((reason) => typeof reason === "string" && reason.trim().length > 0);
     if (outcomeReasons.length > 0) {
       evidence.coverage.p0p1_implementation_not_applicable_reason = uniqueRefs(outcomeReasons).join(" ");
+    } else {
+      evidence.coverage.p0p1_implementation_not_applicable_reason = "The chunk has no in-scope implementation refs after excluding context/governance/authority documents.";
     }
   }
   return { ok: true, evidence };
@@ -620,6 +634,7 @@ export async function extractCodexAuditorEvidenceFile(projectRoot, options) {
     sessionRef: options.sessionRef,
     transcriptRef: options.transcriptRef,
     auditorId: options.auditorId,
+    auditorMode: options.auditorMode,
   });
   if (!normalized.ok) {
     return normalized;

package/cli/lib/audit-sweep-runtime/codex-auditor.mjs

@@ -52,8 +52,9 @@ function codexPrompt({ packet, auditorPacketRef, rawRef, sessionRef }) {
     "You only author semantic audit content: authority_outcomes reasoning/status, inspected_implementation_refs, P0/P1 rule checks, p0p1_negative_reasoning when applicable, and findings.",
     "For each authority outcome, set authority_ref to the packet authority_ref and put inspected implementation refs in inspected_implementation_refs or implementation_evidence_refs.",
     "Every implementation ref you cite must be an exact file ref from packet.selected_implementation_refs / packet.evidence_inventory.",
-    "Never put AGENTS.md, README.md, spec files, authority refs, methodology docs, or governance docs in inspected_implementation_refs, implementation_evidence_refs, coverage.p0p1_evidence_refs, findings[].implementation_refs, or coverage.p0p1_rule_checks[].implementation_refs unless that exact file appears in packet.selected_implementation_refs.",
-    "If a governance or authority document influenced reasoning but is not in packet.selected_implementation_refs, mention it only in negative_reasoning/description text, not in any implementation_refs array.",
+    "Never put AGENTS.md, README.md, spec files, authority refs, methodology docs, or governance docs in inspected_implementation_refs, implementation_evidence_refs, coverage.p0p1_evidence_refs, findings[].implementation_refs, or coverage.p0p1_rule_checks[].implementation_refs; even if packet.selected_implementation_refs includes them, treat them as context only.",
+    "If only context/governance/authority documents are available after that exclusion, use status=\"not_applicable\" for P0/P1 rule checks and explain the lack of implementation surface in negative_reasoning.",
+    "If a governance or authority document influenced reasoning, mention it only in negative_reasoning/description text, not in any implementation_refs array.",
     "Use packet.audit_depth to size your inspection: deep means inspect the selected slice thoroughly, normal means focused semantic inspection, shallow means audit generated/table/index invariants from the selected slice without expanding the omitted inventory.",
     "Return exactly one JSON object and nothing else. Do not wrap it in markdown.",
     "The JSON object must have exactly these top-level fields: chunk_id, auditor, coverage, findings.",

package/cli/lib/audit-sweep-runtime/common.mjs

@@ -20,6 +20,7 @@ export const AUDITABLE_EXTENSIONS = new Set([
   ".json",
   ".md",
   ".mjs",
+  ".prisma",
   ".proto",
   ".py",
   ".rs",
@@ -30,13 +31,24 @@ export const AUDITABLE_EXTENSIONS = new Set([
 ]);
 export const DEFAULT_EXCLUDE_PATTERNS = [
   ".git/",
+  ".agents/",
+  ".claude/",
+  ".iterate/",
   ".next/",
   ".nimi/local/",
+  ".openclaw/",
   ".turbo/",
+  "AGENTS.md",
   "archive/",
   "dist/",
+  "docs/_archive/",
   "generated/",
   "node_modules/",
+  "README.md",
+  "**/AGENTS.md",
+  "**/README.md",
+  "_archive/",
+  "**/_archive/**",
   "pnpm-lock.yaml",
   "package-lock.json",
   "yarn.lock",

package/cli/lib/audit-sweep-runtime/inventory-spec-chunks.mjs

@@ -7,26 +7,112 @@ function evidenceRootsForSpecOwner(ownerDomain, targetRootRef) {
     return [targetRootRef];
   }
   const owner = String(ownerDomain ?? "").trim().replace(/\\/g, "/").replace(/^\/+|\/+$/g, "");
-  const repoWideEvidenceRoots = [".", ".github", "config", "scripts", "src", "lib", "packages", "apps", "tools", "services"];
   if (!owner || owner === "spec-meta" || owner === "spec-root") {
-    return repoWideEvidenceRoots;
+    return [];
   }
   if (owner === "project") {
-    return ["src", "lib", "packages", "apps", "tools", "services", "scripts", "config"];
+    return ["src", "lib", "packages", "apps", "tools", "services"];
   }
   return [
     owner,
+    `nimi-${owner}`,
     `src/${owner}`,
     `lib/${owner}`,
     `packages/${owner}`,
+    `packages/nimi-${owner}`,
     `apps/${owner}`,
     `tools/${owner}`,
     `services/${owner}`,
-    "scripts",
-    "config",
   ];
 }
 
+const DECLARED_EVIDENCE_REF_PATTERN = /(?:^|[\s"'`([{:;,])((?:\.\/)?(?:[A-Za-z0-9_.@+-]+\/)+[A-Za-z0-9_@+.-]+\.(?:cjs|css|go|js|jsx|json|md|mjs|prisma|proto|py|rs|ts|tsx|yaml|yml))(?:[#:)\\\],;."'`]|\s|$)/gu;
+
+function looksLikeSpecAuthorityRelativeRef(normalized) {
+  const extension = path.posix.extname(normalized);
+  if (![".md", ".yaml", ".yml"].includes(extension)) {
+    return false;
+  }
+  const parts = normalized.split("/");
+  const firstSegment = parts[0];
+  if (["tables", "generated", "kernel"].includes(firstSegment)) {
+    return true;
+  }
+  if (parts[1] === "kernel") {
+    return true;
+  }
+  const specDomainLike = /^(backend|dashboard|realm|runtime|v[0-9]+|vision|workers)$/u.test(firstSegment);
+  return specDomainLike && parts.length <= 2;
+}
+
+function normalizeDeclaredEvidenceRef(value) {
+  const normalized = String(value ?? "")
+    .trim()
+    .replace(/\\/g, "/")
+    .replace(/^\.\//, "")
+    .replace(/[),.;:]+$/u, "");
+  if (!normalized || normalized.startsWith("../") || normalized.includes("/../") || normalized.startsWith("http:") || normalized.startsWith("https:")) {
+    return null;
+  }
+  if (!normalized.includes("/")) {
+    return null;
+  }
+  const firstSegment = normalized.split("/")[0];
+  if (looksLikeSpecAuthorityRelativeRef(normalized)) {
+    return null;
+  }
+  if (
+    normalized.startsWith(".nimi/spec/")
+    || normalized.startsWith(".nimi/contracts/")
+    || normalized.startsWith(".nimi/methodology/")
+    || normalized.startsWith(".nimi/local/")
+    || normalized.startsWith(".agents/")
+    || normalized.startsWith(".claude/")
+    || normalized.startsWith(".openclaw/")
+    || normalized.includes("/.nimi/spec/")
+    || normalized.includes("/.nimi/contracts/")
+    || normalized.includes("/.nimi/methodology/")
+  ) {
+    return null;
+  }
+  const basename = path.posix.basename(normalized).toLowerCase();
+  if (basename === "agents.md" || basename === "readme.md") {
+    return null;
+  }
+  return normalized;
+}
+
+function candidateEvidenceRefsForDeclaredRef(declaredRef, evidenceRoots) {
+  const normalized = String(declaredRef ?? "").replace(/\\/g, "/").replace(/^\.\//, "").replace(/\/$/, "");
+  if (!normalized) {
+    return [];
+  }
+  const candidates = [normalized];
+  for (const rootRef of evidenceRoots ?? []) {
+    const root = String(rootRef ?? "").replace(/\\/g, "/").replace(/\/$/, "");
+    if (!root || root === "." || root.startsWith(".nimi/spec") || path.posix.extname(root)) {
+      continue;
+    }
+    if (normalized === root || normalized.startsWith(`${root}/`)) {
+      candidates.push(normalized);
+    } else {
+      candidates.push(`${root}/${normalized}`);
+    }
+  }
+  return [...new Set(candidates)].sort();
+}
+
+function extractDeclaredEvidenceRefs(text) {
+  const refs = [];
+  for (const match of String(text ?? "").matchAll(DECLARED_EVIDENCE_REF_PATTERN)) {
+    const normalized = normalizeDeclaredEvidenceRef(match[1]);
+    if (normalized) {
+      refs.push(normalized);
+    }
+  }
+  return [...new Set(refs)].sort();
+}
+
 function slugPart(value) {
   return String(value)
     .replace(/[^a-zA-Z0-9]+/g, "-")
@@ -132,22 +218,34 @@ export function buildSpecChunks(includedInventory, options) {
     const rootAdmissions = (options.auditEvidenceRootAdmissions ?? [])
       .filter((admission) => admission.owner_domain === surface.ownerDomain && admission.authority_refs.includes(entry.file_ref));
     const admittedEvidenceRoots = rootAdmissions.flatMap((admission) => admission.evidence_roots);
+    const authorityText = authorityRefs
+      .map((authorityRef) => options.authorityTextByRef?.get(authorityRef) ?? "")
+      .join("\n");
+    const declaredEvidenceRefs = packageAdmission || appAdmission
+      ? []
+      : extractDeclaredEvidenceRefs(authorityText);
     const evidenceRoots = packageAdmission
       ? packageAdmission.evidence_roots
       : appAdmission
       ? appAdmission.evidence_roots
       : [...new Set([
         ...evidenceRootsForSpecOwner(surface.ownerDomain, options.targetRootRef),
+        ...declaredEvidenceRefs,
         ...admittedEvidenceRoots,
       ])].sort();
     const moduleMapRefs = surface.surface === "domain-guides" || surface.surface === "app-domain-guides"
       ? extractModuleMapRefs(options.authorityTextByRef?.get(entry.file_ref) ?? "")
       : [];
-    const declaredEvidenceTargets = moduleMapRefs
-      .map((moduleRef) => ({
+    const declaredEvidenceTargets = [
+      ...moduleMapRefs.map((moduleRef) => ({
         source_path: moduleRef,
         candidates: candidateEvidenceRefsForModuleMapPath(moduleRef, evidenceRoots),
-      }))
+      })),
+      ...declaredEvidenceRefs.map((evidenceRef) => ({
+        source_path: evidenceRef,
+        candidates: candidateEvidenceRefsForDeclaredRef(evidenceRef, evidenceRoots),
+      })),
+    ]
       .filter((target) => target.candidates.length > 0);
     chunkIndex += 1;
     const chunkId = [

package/cli/lib/audit-sweep-runtime/inventory.mjs

@@ -111,7 +111,7 @@ async function listFallbackFiles(projectRoot, targetRootRef, excludePatterns) {
 
 function classifyFile(fileRef) {
   const extension = path.posix.extname(fileRef);
-  if ([".md", ".yaml", ".yml", ".json"].includes(extension)) {
+  if ([".md", ".yaml", ".yml", ".json", ".prisma"].includes(extension)) {
     return "contract-or-doc";
   }
   if ([".test.ts", ".test.js", ".spec.ts", ".spec.js"].some((suffix) => fileRef.endsWith(suffix))) {
@@ -509,9 +509,7 @@ export async function createAuditSweepPlan(projectRoot, options) {
   const authorityTextByRef = new Map();
   if (chunkBasis.basis === "spec") {
     for (const entry of includedInventory) {
-      if ([".md", ".markdown"].includes(entry.extension)) {
-        authorityTextByRef.set(entry.file_ref, await readFile(artifactPath(projectRoot, entry.file_ref), "utf8"));
-      }
+      authorityTextByRef.set(entry.file_ref, await readFile(artifactPath(projectRoot, entry.file_ref), "utf8"));
     }
   }
   let chunks = chunkBasis.basis === "spec"

package/cli/lib/audit-sweep-runtime/validators.mjs

@@ -43,6 +43,10 @@ const RUN_EVENT_TYPES = new Set([
   "chunk_codex_audit_failed",
   "chunk_codex_auditor_output_rejected",
   "chunk_codex_auditor_output_accepted",
+  "chunk_claude_audit_prepared",
+  "chunk_claude_audit_failed",
+  "chunk_claude_auditor_output_rejected",
+  "chunk_claude_auditor_output_accepted",
   "ledger_snapshot_created",
   "remediation_map_created",
   "remediation_map_admitted",
@@ -610,7 +614,8 @@ function validateRunLedgerReplay(events, plan, chunks, findings, latestLedger, c
   check(checks, "run_replay_plan_created", eventsByType.get("plan_created")?.some((event) => event.plan_ref === planRefFromPlan(plan)) === true, "run ledger records plan_created for this plan");
   for (const chunk of chunks) {
     const dispatched = eventsByType.get("chunk_dispatched")?.some((event) => event.chunk_id === chunk.chunk_id) === true
-      || eventsByType.get("chunk_codex_audit_prepared")?.some((event) => event.chunk_id === chunk.chunk_id) === true;
+      || eventsByType.get("chunk_codex_audit_prepared")?.some((event) => event.chunk_id === chunk.chunk_id) === true
+      || eventsByType.get("chunk_claude_audit_prepared")?.some((event) => event.chunk_id === chunk.chunk_id) === true;
     const ingested = eventsByType.get("chunk_ingested")?.some((event) => event.chunk_id === chunk.chunk_id && event.evidence_ref === chunk.evidence_ref) === true;
     const frozen = eventsByType.get("chunk_frozen")?.some((event) => event.chunk_id === chunk.chunk_id) === true;
     const failed = eventsByType.get("chunk_failed")?.some((event) => event.chunk_id === chunk.chunk_id) === true;

package/cli/lib/audit-sweep.mjs

@@ -6,6 +6,7 @@ export {
 } from "./audit-sweep-runtime/chunks.mjs";
 export { ingestAuditSweepChunk } from "./audit-sweep-runtime/ingest.mjs";
 export { runCodexAuditSweepChunk } from "./audit-sweep-runtime/codex-auditor.mjs";
+export { runClaudeAuditSweepChunk } from "./audit-sweep-runtime/claude-auditor.mjs";
 export { buildAuditSweepLedger } from "./audit-sweep-runtime/ledger.mjs";
 export {
   admitAuditSweepRemediationMap,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nimiplatform/nimi-coding",
-  "version": "0.2.2",
+  "version": "0.2.3",
   "private": false,
   "description": "AI-native coding governance toolkit for bootstrapping .nimi/** into arbitrary projects.",
   "license": "MIT",