auditor-lambda 0.1.0 → 0.2.1

package/dist/orchestrator/flowPlanning.js

@@ -3,39 +3,32 @@ const DEFAULT_FLOW_LENS_PRIORITY = [
     "reliability",
     "correctness",
 ];
-function normalizeTaskSignature(task) {
-    const path = task.file_paths.join(",");
-    const range = task.line_ranges?.map((r) => `${r.path}:${r.start}-${r.end}`).join(",") ??
-        "full";
-    return `${task.lens}|${path}|${range}`;
-}
-export function buildFlowAwareTaskAugmentations(existingTasks, criticalFlows, lineIndex) {
+export function buildFlowAwareTaskAugmentations(existingTasks, criticalFlows, _lineIndex) {
     const seenTaskIds = new Set(existingTasks.map((task) => task.task_id));
-    const existingSignatures = new Set(existingTasks.map(normalizeTaskSignature));
+    // Signature: lens + sorted file list, so duplicate (flow, lens) combos across
+    // different flow groupings are still deduplicated.
+    const existingSignatures = new Set(existingTasks.map((t) => `${t.lens}|${[...t.file_paths].sort().join(",")}`));
     const extraTasks = [];
     for (const flow of criticalFlows.flows) {
         const desiredLenses = flow.concerns.filter((concern) => DEFAULT_FLOW_LENS_PRIORITY.includes(concern));
-        for (const path of flow.paths) {
-            const totalLines = lineIndex[path] ?? 0;
-            for (const lens of desiredLenses) {
-                const candidate = {
-                    task_id: `flow:${flow.id}:${lens}:${path}`,
-                    unit_id: `flow:${flow.id}`,
-                    pass_id: `flow-pass:${lens}`,
-                    lens,
-                    file_paths: [path],
-                    line_ranges: totalLines > 0 ? [{ path, start: 1, end: totalLines }] : undefined,
-                    rationale: `Flow-aware audit for ${path} because it participates in critical flow ${flow.id} under the ${lens} lens.`,
-                };
-                const signature = normalizeTaskSignature(candidate);
-                if (seenTaskIds.has(candidate.task_id) ||
-                    existingSignatures.has(signature)) {
-                    continue;
-                }
-                extraTasks.push(candidate);
-                seenTaskIds.add(candidate.task_id);
-                existingSignatures.add(signature);
+        for (const lens of desiredLenses) {
+            // One task per (flow, lens) with all flow paths together so the agent
+            // can trace data across file boundaries in a single pass.
+            const taskId = `flow:${flow.id}:${lens}`;
+            const signature = `${lens}|${[...flow.paths].sort().join(",")}`;
+            if (seenTaskIds.has(taskId) || existingSignatures.has(signature)) {
+                continue;
             }
+            extraTasks.push({
+                task_id: taskId,
+                unit_id: `flow:${flow.id}`,
+                pass_id: `flow-pass:${lens}`,
+                lens,
+                file_paths: [...flow.paths],
+                rationale: `Flow-aware audit for critical flow "${flow.id}" (${flow.paths.length} file${flow.paths.length === 1 ? "" : "s"}) under the ${lens} lens.`,
+            });
+            seenTaskIds.add(taskId);
+            existingSignatures.add(signature);
         }
     }
     return extraTasks;

package/dist/orchestrator/internalExecutors.js

@@ -87,7 +87,6 @@ export function runPlanningExecutor(bundle, lineIndex = {}) {
     const runtimeValidationTasks = buildRuntimeValidationTasks(bundle.unit_manifest, bundle.critical_flows, flowCoverage);
     const runtimeValidationReport = preserveOrPlaceholder(runtimeValidationTasks, bundle.runtime_validation_report);
     const baseTasks = buildChunkedAuditTasks(bundle.unit_manifest, lineIndex, {
-        chunk_size: 200,
         external_analyzer_results: externalAnalyzerResults,
     });
     const analyzerTasks = buildExternalSignalTasks(coverage, lineIndex, externalAnalyzerResults);

package/dist/orchestrator/taskBuilder.d.ts

@@ -4,9 +4,14 @@ export interface UnitLineIndex {
     [path: string]: number;
 }
 export interface BuildChunkedTaskOptions {
-    chunk_size?: number;
+    /**
+     * Line count above which a single file gets its own task rather than being
+     * grouped with the rest of its unit. Default: 3000. Set to 0 to disable
+     * splitting entirely.
+     */
+    file_split_threshold?: number;
     limit_lenses?: Lens[];
     external_analyzer_results?: ExternalAnalyzerResults;
 }
 export declare function buildChunkedAuditTasks(unitManifest: UnitManifest, unitLineIndex: UnitLineIndex, options?: BuildChunkedTaskOptions): AuditTask[];
-export declare function buildExternalSignalTasks(coverageMatrix: CoverageMatrix, unitLineIndex: UnitLineIndex, externalAnalyzerResults?: ExternalAnalyzerResults): AuditTask[];
+export declare function buildExternalSignalTasks(coverageMatrix: CoverageMatrix, _unitLineIndex: UnitLineIndex, externalAnalyzerResults?: ExternalAnalyzerResults): AuditTask[];

package/dist/orchestrator/taskBuilder.js

@@ -1,12 +1,17 @@
-function chunkRanges(totalLines, chunkSize) {
-    const ranges = [];
-    let start = 1;
-    while (start <= totalLines) {
-        const end = Math.min(start + chunkSize - 1, totalLines);
-        ranges.push({ start, end });
-        start = end + 1;
+function modelHintForLens(lens) {
+    switch (lens) {
+        case "security":
+        case "correctness":
+        case "reliability":
+        case "data_integrity":
+            return "capable";
+        case "architecture":
+        case "maintainability":
+        case "tests":
+            return "balanced";
+        default:
+            return "fast";
     }
-    return ranges;
 }
 function taskPriority(hasExternalSignal, lens) {
     if (hasExternalSignal &&
@@ -48,7 +53,7 @@ function pickAnalyzerLens(category) {
     return "correctness";
 }
 export function buildChunkedAuditTasks(unitManifest, unitLineIndex, options = {}) {
-    const chunkSize = options.chunk_size ?? 200;
+    const fileSplitThreshold = options.file_split_threshold ?? 3000;
     const allowed = new Set(options.limit_lenses ?? []);
     const enforceLensFilter = allowed.size > 0;
     const tasks = [];
@@ -63,49 +68,54 @@ export function buildChunkedAuditTasks(unitManifest, unitLineIndex, options = {}
             if (enforceLensFilter && !allowed.has(lens)) {
                 continue;
             }
-            for (const filePath of unit.files) {
-                const hasExternalSignal = externalPaths.has(filePath);
-                const priority = taskPriority(hasExternalSignal, lens);
-                const tags = hasExternalSignal ? ["external_analyzer_signal"] : [];
-                const lineCount = unitLineIndex[filePath] ?? 0;
-                const ranges = chunkRanges(lineCount, chunkSize);
-                if (ranges.length === 0) {
-                    const id = `${unit.unit_id}:${lens}:${filePath}:full`;
-                    if (seen.has(id))
-                        continue;
-                    seen.add(id);
-                    tasks.push({
-                        task_id: id,
-                        unit_id: unit.unit_id,
-                        pass_id: `pass:${lens}`,
-                        lens,
-                        file_paths: [filePath],
-                        rationale: `Audit ${filePath} under the ${lens} lens.${hasExternalSignal ? " External analyzer signals raise priority for this path." : ""}`,
-                        priority,
-                        tags,
-                    });
-                    continue;
-                }
-                for (const range of ranges) {
-                    const id = `${unit.unit_id}:${lens}:${filePath}:${range.start}-${range.end}`;
-                    if (seen.has(id))
-                        continue;
+            const hasExternalSignal = unit.files.some((f) => externalPaths.has(f));
+            const priority = taskPriority(hasExternalSignal, lens);
+            const tags = hasExternalSignal ? ["external_analyzer_signal"] : [];
+            // Split files that are individually too large to group; everything else
+            // goes into one task so the agent can reason across file boundaries.
+            const oversizedFiles = fileSplitThreshold > 0
+                ? unit.files.filter((f) => (unitLineIndex[f] ?? 0) > fileSplitThreshold)
+                : [];
+            const normalFiles = unit.files.filter((f) => !oversizedFiles.includes(f));
+            // One task for all normal-sized files in this unit under this lens.
+            if (normalFiles.length > 0) {
+                const id = `${unit.unit_id}:${lens}`;
+                if (!seen.has(id)) {
                     seen.add(id);
                     tasks.push({
                         task_id: id,
                         unit_id: unit.unit_id,
                         pass_id: `pass:${lens}`,
                         lens,
-                        file_paths: [filePath],
-                        line_ranges: [
-                            { path: filePath, start: range.start, end: range.end },
-                        ],
-                        rationale: `Audit ${filePath} lines ${range.start}-${range.end} under the ${lens} lens.${hasExternalSignal ? " External analyzer signals raise priority for this path." : ""}`,
+                        file_paths: normalFiles,
+                        rationale: `Audit ${unit.unit_id} (${normalFiles.length} file${normalFiles.length === 1 ? "" : "s"}) under the ${lens} lens.${hasExternalSignal ? " External analyzer signals raise priority." : ""}`,
                         priority,
                         tags,
+                        model_hint: modelHintForLens(lens),
                     });
                 }
             }
+            // Oversized files each get their own task so the agent isn't overwhelmed.
+            for (const filePath of oversizedFiles) {
+                const id = `${unit.unit_id}:${lens}:${filePath}`;
+                if (seen.has(id))
+                    continue;
+                seen.add(id);
+                const fileHasSignal = externalPaths.has(filePath);
+                tasks.push({
+                    task_id: id,
+                    unit_id: unit.unit_id,
+                    pass_id: `pass:${lens}`,
+                    lens,
+                    file_paths: [filePath],
+                    rationale: `Audit ${filePath} (large file, split from unit) under the ${lens} lens.${fileHasSignal ? " External analyzer signals raise priority." : ""}`,
+                    priority: taskPriority(fileHasSignal, lens),
+                    tags: fileHasSignal
+                        ? ["external_analyzer_signal", "large_file"]
+                        : ["large_file"],
+                    model_hint: modelHintForLens(lens),
+                });
+            }
         }
     }
     return tasks.sort((a, b) => {
@@ -115,19 +125,19 @@ export function buildChunkedAuditTasks(unitManifest, unitLineIndex, options = {}
         return a.task_id.localeCompare(b.task_id);
     });
 }
-export function buildExternalSignalTasks(coverageMatrix, unitLineIndex, externalAnalyzerResults) {
+export function buildExternalSignalTasks(coverageMatrix, _unitLineIndex, externalAnalyzerResults) {
     if (!externalAnalyzerResults) {
         return [];
     }
     const tasks = [];
     const seen = new Set();
+    const coverageIndex = new Map(coverageMatrix.files.map((file) => [file.path, file]));
     for (const result of externalAnalyzerResults.results) {
         const lens = pickAnalyzerLens(result.category);
-        const coverage = coverageMatrix.files.find((file) => file.path === result.path);
+        const coverage = coverageIndex.get(result.path);
         if (!coverage || coverage.audit_status === "excluded") {
             continue;
         }
-        const lineCount = unitLineIndex[result.path] ?? 0;
         const id = `analyzer:${externalAnalyzerResults.tool}:${lens}:${result.path}:${result.id}`;
         if (seen.has(id)) {
             continue;
@@ -139,15 +149,13 @@ export function buildExternalSignalTasks(coverageMatrix, unitLineIndex, external
             pass_id: `analyzer:${externalAnalyzerResults.tool}:${lens}`,
             lens,
             file_paths: [result.path],
-            line_ranges: lineCount > 0
-                ? [{ path: result.path, start: 1, end: lineCount }]
-                : undefined,
             rationale: `Analyzer follow-up for ${result.path} under the ${lens} lens because ${externalAnalyzerResults.tool} reported: ${result.summary}`,
             priority: "high",
             tags: [
                 "external_analyzer_signal",
                 `external_tool:${externalAnalyzerResults.tool}`,
             ],
+            model_hint: modelHintForLens(lens),
         });
     }
     return tasks.sort((a, b) => a.task_id.localeCompare(b.task_id));

package/dist/prompts/renderWorkerPrompt.js

@@ -3,6 +3,38 @@ function shellQuote(arg) {
 }
 export function renderWorkerPrompt(task) {
     const command = task.worker_command.map(shellQuote).join(" ");
+    if (task.preferred_executor === "agent" && task.audit_results_path) {
+        const tasksPath = task.pending_audit_tasks_path ?? `${task.artifacts_dir}/audit_tasks.json`;
+        const lines = [
+            "You are executing one bounded audit task for audit-code.",
+            `Run ID: ${task.run_id}`,
+            `Repository root: ${task.repo_root}`,
+            "",
+            `Read the task file: ${tasksPath}`,
+            "It contains the task(s) assigned to this run.",
+            "",
+            "For each task:",
+            "  1. Read every file listed in file_paths in full using your file-reading tool.",
+            "     If line_ranges are present, they are a focus hint — still read the whole file.",
+            "  2. Review the content under the specified lens.",
+            "  3. Emit one AuditResult with:",
+            "       task_id, unit_id, pass_id, lens",
+            "       reviewed_ranges: [{path, start, end}] covering what you read",
+            "       findings: array (empty if nothing found)",
+            "     Each finding must include:",
+            "       id, title, category, severity, confidence, lens, summary, affected_files,",
+            "       evidence (at least one excerpt or line reference from the file you read)",
+            "     Optional finding fields: impact, likelihood, reproduction, systemic, related_findings",
+            `Write the AuditResult[] JSON array to: ${task.audit_results_path}`,
+        ];
+        if (task.skip_worker_command) {
+            lines.push("", "Stop after writing the results file.");
+        }
+        else {
+            lines.push("", "Then run this command exactly:", command, "Stop after the command completes.");
+        }
+        return lines.join("\n");
+    }
     return [
         "You are executing one bounded audit step for audit-code.",
         `Run ID: ${task.run_id}`,

package/dist/providers/claudeCodeProvider.js

@@ -7,11 +7,17 @@ export class ClaudeCodeProvider {
         this.config = config;
     }
     async launch(input) {
+        if (process.env.CLAUDECODE) {
+            throw new Error("claude-code provider cannot be used inside an active Claude Code session. " +
+                'Set provider to "local-subprocess" in .audit-artifacts/session-config.json, ' +
+                "then run /audit-code conversationally and follow the dispatch prompts manually.");
+        }
         const prompt = await readFile(input.promptPath, "utf8");
         const command = this.config.command ?? "claude";
         const args = [
             "-p",
             prompt,
+            ...(input.model ? ["--model", input.model] : []),
             ...(this.config.extra_args ?? []),
             "--dangerously-skip-permissions",
         ];

package/dist/providers/index.js

@@ -28,6 +28,7 @@ export function resolveFreshSessionProviderName(name, sessionConfig = {}, option
     const env = options.env ?? process.env;
     const lookupCommand = options.commandExists ?? commandExists;
     const inVSCode = (env.TERM_PROGRAM ?? "").toLowerCase() === "vscode";
+    const insideClaudeCode = Boolean(env.CLAUDECODE);
     if (inVSCode && hasEntries(sessionConfig.vscode_task?.command_template)) {
         return "vscode-task";
     }
@@ -36,9 +37,11 @@ export function resolveFreshSessionProviderName(name, sessionConfig = {}, option
     }
     const claudeCommand = sessionConfig.claude_code?.command ?? "claude";
     const opencodeCommand = sessionConfig.opencode?.command ?? "opencode";
-    const claudeAvailable = lookupCommand(claudeCommand);
+    const claudeAvailable = !insideClaudeCode && lookupCommand(claudeCommand);
     const opencodeAvailable = lookupCommand(opencodeCommand);
-    if (hasConfiguredClaudeCode(sessionConfig) && claudeAvailable) {
+    if (!insideClaudeCode &&
+        hasConfiguredClaudeCode(sessionConfig) &&
+        claudeAvailable) {
         return "claude-code";
     }
     if (hasConfiguredOpenCode(sessionConfig) && opencodeAvailable) {

package/dist/providers/opencodeProvider.js

@@ -9,7 +9,12 @@ export class OpenCodeProvider {
     async launch(input) {
         const prompt = await readFile(input.promptPath, "utf8");
         const command = this.config.command ?? "opencode";
-        const args = ["run", prompt, ...(this.config.extra_args ?? [])];
+        const args = [
+            "run",
+            prompt,
+            ...(input.model ? ["--model", input.model] : []),
+            ...(this.config.extra_args ?? []),
+        ];
         return await spawnLoggedCommand(command, args, input);
     }
 }

package/dist/providers/types.d.ts

@@ -9,6 +9,7 @@ export interface LaunchFreshSessionInput {
     stderrPath: string;
     uiMode: "visible" | "headless";
     timeoutMs: number;
+    model?: string;
 }
 export interface LaunchFreshSessionResult {
     accepted: boolean;

package/dist/reporting/mergeFindings.js

@@ -80,7 +80,6 @@ export function mergeFindings(results, runtimeReport, externalAnalyzerResults) {
                             ...analyzerEvidence,
                         ]),
                     ],
-                    remediation: [...new Set(finding.remediation ?? [])],
                     related_findings: [
                         ...new Set([...(finding.related_findings ?? []), finding.id]),
                     ],
@@ -109,12 +108,6 @@ export function mergeFindings(results, runtimeReport, externalAnalyzerResults) {
                     ...analyzerEvidence,
                 ]),
             ];
-            existing.remediation = [
-                ...new Set([
-                    ...(existing.remediation ?? []),
-                    ...(finding.remediation ?? []),
-                ]),
-            ];
             existing.related_findings = [
                 ...new Set([
                     ...(existing.related_findings ?? []),

package/dist/reporting/rootCause.d.ts

@@ -6,6 +6,5 @@ export interface RootCauseCluster {
     title: string;
     summary: string;
     finding_ids: string[];
-    recommended_actions: string[];
 }
 export declare function buildRootCauseClusters(findings: Finding[], runtimeReport?: RuntimeValidationReport, externalAnalyzerResults?: ExternalAnalyzerResults): RootCauseCluster[];

package/dist/reporting/rootCause.js

@@ -52,17 +52,11 @@ export function buildRootCauseClusters(findings, runtimeReport, externalAnalyzer
         .map(([key, grouped], index) => {
         const highestSeverity = grouped.reduce((max, finding) => Math.max(max, severityRank(finding.severity)), 1);
         const systemicCount = grouped.filter((finding) => finding.systemic).length;
-        const uniqueRemediations = [
-            ...new Set(grouped.flatMap((finding) => finding.remediation ?? [])),
-        ].slice(0, 5);
         return {
             id: `cluster-${index + 1}`,
             title: titleForCluster(key),
             summary: `Grouped ${grouped.length} finding(s); highest severity ${highestSeverity}; systemic flags ${systemicCount}. Runtime validation status: ${runtimeSummary}. External analyzer summary: ${externalSummary}.`,
             finding_ids: grouped.map((finding) => finding.id),
-            recommended_actions: uniqueRemediations.length > 0
-                ? uniqueRemediations
-                : [`Review systemic causes behind ${titleForCluster(key)}.`],
         };
     })
         .sort((a, b) => a.title.localeCompare(b.title));

package/dist/reporting/synthesis.js

@@ -14,6 +14,23 @@ function severityBreakdown(findings) {
     }
     return breakdown;
 }
+function zeroFindingLensNotes(results) {
+    const tasksByLens = new Map();
+    const findingsByLens = new Map();
+    for (const result of results) {
+        tasksByLens.set(result.lens, (tasksByLens.get(result.lens) ?? 0) + 1);
+        findingsByLens.set(result.lens, (findingsByLens.get(result.lens) ?? 0) + result.findings.length);
+    }
+    const zeroLenses = [...tasksByLens.entries()]
+        .filter(([lens, count]) => count > 0 && (findingsByLens.get(lens) ?? 0) === 0)
+        .map(([lens]) => lens)
+        .sort();
+    if (zeroLenses.length === 0)
+        return [];
+    return [
+        `Zero findings across all reviewed tasks for lens(es): ${zeroLenses.join(", ")}. Verify these tasks were genuinely reviewed rather than batch-generated.`,
+    ];
+}
 function externalSummary(results) {
     if (!results) {
         return { tool_count: 0, result_count: 0 };
@@ -47,6 +64,7 @@ export function buildSynthesisReport(results, runtimeReport, externalAnalyzerRes
                         `External analyzer signals incorporated: ${extSummary.result_count} result(s) from ${externalAnalyzerResults?.tool}.`,
                     ]
                     : []),
+                ...zeroFindingLensNotes(results),
             ],
         },
         merged_findings,

package/dist/supervisor/runLedger.js

@@ -1,4 +1,5 @@
-import { readJsonFile, writeJsonFile } from "../io/json.js";
+import { rename, writeFile } from "node:fs/promises";
+import { readJsonFile } from "../io/json.js";
 function ledgerPath(artifactsDir) {
     return `${artifactsDir}/run-ledger.json`;
 }
@@ -13,5 +14,8 @@ export async function loadRunLedger(artifactsDir) {
 export async function appendRunLedgerEntry(artifactsDir, entry) {
     const ledger = await loadRunLedger(artifactsDir);
     ledger.runs.push(entry);
-    await writeJsonFile(ledgerPath(artifactsDir), ledger);
+    const target = ledgerPath(artifactsDir);
+    const tmp = `${target}.tmp`;
+    await writeFile(tmp, JSON.stringify(ledger, null, 2) + "\n", "utf8");
+    await rename(tmp, target);
 }

package/dist/types/sessionConfig.d.ts

@@ -16,6 +16,11 @@ export interface VSCodeTaskConfig {
     command_template: string[];
     env?: Record<string, string>;
 }
+export interface ModelTiersConfig {
+    fast?: string;
+    balanced?: string;
+    capable?: string;
+}
 export interface SessionConfig {
     provider?: ProviderName;
     timeout_ms?: number;
@@ -24,4 +29,7 @@ export interface SessionConfig {
     claude_code?: ClaudeCodeConfig;
     opencode?: OpenCodeConfig;
     vscode_task?: VSCodeTaskConfig;
+    agent_task_batch_size?: number;
+    parallel_workers?: number;
+    model_tiers?: ModelTiersConfig;
 }

package/dist/types/workerSession.d.ts

@@ -8,6 +8,8 @@ export interface WorkerTask {
     result_path: string;
     worker_command: string[];
     audit_results_path?: string;
+    pending_audit_tasks_path?: string;
     runtime_updates_path?: string;
     external_analyzer_results_path?: string;
+    skip_worker_command?: boolean;
 }

package/dist/types.d.ts

@@ -43,7 +43,6 @@ export interface CoverageFileRecord {
     audit_status: string;
     required_lenses: Lens[];
     completed_lenses: Lens[];
-    reviewed_line_ranges: ReviewedLineRange[];
 }
 export interface CoverageMatrix {
     files: CoverageFileRecord[];
@@ -63,6 +62,7 @@ export interface AuditTask {
     rationale: string;
     priority?: "high" | "medium" | "low";
     tags?: string[];
+    model_hint?: "fast" | "balanced" | "capable";
 }
 export interface Finding {
     id: string;
@@ -82,7 +82,6 @@ export interface Finding {
     likelihood?: string;
     evidence?: string[];
     reproduction?: string[];
-    remediation?: string[];
     systemic?: boolean;
     related_findings?: string[];
 }

package/dist/validation/auditResults.d.ts

@@ -0,0 +1,11 @@
+import type { AuditResult, AuditTask } from "../types.js";
+export type IssueSeverity = "error" | "warning";
+export interface AuditResultIssue {
+    result_index: number;
+    task_id: string;
+    severity: IssueSeverity;
+    field: string;
+    message: string;
+}
+export declare function validateAuditResults(results: AuditResult[], tasks: AuditTask[]): AuditResultIssue[];
+export declare function formatAuditResultIssues(issues: AuditResultIssue[]): string;

package/dist/validation/auditResults.js

@@ -0,0 +1,118 @@
+const REQUIRED_FINDING_FIELDS = [
+    "id",
+    "title",
+    "category",
+    "severity",
+    "confidence",
+    "lens",
+    "summary",
+];
+const VALID_SEVERITIES = new Set(["critical", "high", "medium", "low", "info"]);
+const VALID_CONFIDENCES = new Set(["high", "medium", "low"]);
+function validateFinding(finding, label, taskId, resultIndex) {
+    const issues = [];
+    for (const field of REQUIRED_FINDING_FIELDS) {
+        const value = finding[field];
+        if (value === undefined || value === null || String(value).trim() === "") {
+            issues.push({
+                result_index: resultIndex,
+                task_id: taskId,
+                severity: "error",
+                field: `${label}.${field}`,
+                message: `Required field '${field}' is missing or empty.`,
+            });
+        }
+    }
+    if (finding.severity && !VALID_SEVERITIES.has(finding.severity)) {
+        issues.push({
+            result_index: resultIndex,
+            task_id: taskId,
+            severity: "error",
+            field: `${label}.severity`,
+            message: `Invalid severity '${finding.severity}'. Must be one of: ${[...VALID_SEVERITIES].join(", ")}.`,
+        });
+    }
+    if (finding.confidence && !VALID_CONFIDENCES.has(finding.confidence)) {
+        issues.push({
+            result_index: resultIndex,
+            task_id: taskId,
+            severity: "error",
+            field: `${label}.confidence`,
+            message: `Invalid confidence '${finding.confidence}'. Must be one of: ${[...VALID_CONFIDENCES].join(", ")}.`,
+        });
+    }
+    if (!finding.affected_files || finding.affected_files.length === 0) {
+        issues.push({
+            result_index: resultIndex,
+            task_id: taskId,
+            severity: "error",
+            field: `${label}.affected_files`,
+            message: "affected_files is empty — at least one file location is required.",
+        });
+    }
+    else {
+        for (let k = 0; k < finding.affected_files.length; k++) {
+            const af = finding.affected_files[k];
+            if (!af.path?.trim()) {
+                issues.push({
+                    result_index: resultIndex,
+                    task_id: taskId,
+                    severity: "error",
+                    field: `${label}.affected_files[${k}].path`,
+                    message: "affected_files entry has an empty path.",
+                });
+            }
+        }
+    }
+    if (!finding.evidence || finding.evidence.length === 0) {
+        issues.push({
+            result_index: resultIndex,
+            task_id: taskId,
+            severity: "error",
+            field: `${label}.evidence`,
+            message: "evidence is empty — at least one quoted or referenced excerpt from the reviewed file is required for every finding.",
+        });
+    }
+    else {
+        const hasSubstantiveEntry = finding.evidence.some((e) => e.trim().length > 0);
+        if (!hasSubstantiveEntry) {
+            issues.push({
+                result_index: resultIndex,
+                task_id: taskId,
+                severity: "error",
+                field: `${label}.evidence`,
+                message: "All evidence entries are empty strings.",
+            });
+        }
+    }
+    return issues;
+}
+export function validateAuditResults(results, tasks) {
+    const issues = [];
+    const taskMap = new Map(tasks.map((t) => [t.task_id, t]));
+    for (let i = 0; i < results.length; i++) {
+        const result = results[i];
+        const taskId = result.task_id ?? `result[${i}]`;
+        if (!result.reviewed_ranges || result.reviewed_ranges.length === 0) {
+            issues.push({
+                result_index: i,
+                task_id: taskId,
+                severity: "error",
+                field: "reviewed_ranges",
+                message: "reviewed_ranges is empty — no proof of file reading was recorded. " +
+                    "Each result must include the line ranges actually read.",
+            });
+        }
+        for (let j = 0; j < (result.findings ?? []).length; j++) {
+            const finding = result.findings[j];
+            const label = `findings[${j}]`;
+            issues.push(...validateFinding(finding, label, taskId, i));
+        }
+    }
+    return issues;
+}
+export function formatAuditResultIssues(issues) {
+    return issues
+        .map((issue) => `  [${issue.severity}] ${issue.task_id} / ${issue.field}: ${issue.message}`)
+        .join("\n");
+}