auditor-lambda 0.10.0 → 0.10.2

package/dist/cli/args.d.ts

@@ -24,6 +24,17 @@ export declare function digestId(value: string): string;
 export declare function safeArtifactStem(value: string): string;
 export declare function artifactNameForId(value: string, extension: string): string;
 export declare function quoteCommandArg(value: string): string;
+/**
+ * Normalize a generated command token to POSIX path separators. These command
+ * strings are embedded in step prompts and `allowed_commands` and run by the
+ * host — often through a bash-like shell, which treats `\` as an escape and
+ * silently corrupts Windows absolute paths (`node C:\a\b.mjs` collapses to
+ * `node C:ab.mjs`). Node accepts forward slashes on Windows, and `/` survives
+ * bash, PowerShell, and cmd alike. Only tokens that actually carry a backslash
+ * are touched, and no non-path argument in this CLI contains one, so this is a
+ * targeted normalization rather than a blanket rewrite.
+ */
+export declare function toPosixCommandToken(value: string): string;
 export declare function renderCommand(argv: string[]): string;
 export declare function summarizeLaunchExit(result: {
     accepted?: boolean;

package/dist/cli/args.js

@@ -80,8 +80,21 @@ export function artifactNameForId(value, extension) {
 export function quoteCommandArg(value) {
     return /[\s"]/u.test(value) ? `"${value.replace(/"/g, '\\"')}"` : value;
 }
+/**
+ * Normalize a generated command token to POSIX path separators. These command
+ * strings are embedded in step prompts and `allowed_commands` and run by the
+ * host — often through a bash-like shell, which treats `\` as an escape and
+ * silently corrupts Windows absolute paths (`node C:\a\b.mjs` collapses to
+ * `node C:ab.mjs`). Node accepts forward slashes on Windows, and `/` survives
+ * bash, PowerShell, and cmd alike. Only tokens that actually carry a backslash
+ * are touched, and no non-path argument in this CLI contains one, so this is a
+ * targeted normalization rather than a blanket rewrite.
+ */
+export function toPosixCommandToken(value) {
+    return value.includes("\\") ? value.replace(/\\/g, "/") : value;
+}
 export function renderCommand(argv) {
-    return argv.map((item) => quoteCommandArg(item)).join(" ");
+    return argv.map((item) => quoteCommandArg(toPosixCommandToken(item))).join(" ");
 }
 export function summarizeLaunchExit(result) {
     if (result.accepted !== false && !result.error) {

package/dist/cli/dispatch.js

@@ -9,7 +9,7 @@ import { orderTasksForPacketReview, buildReviewPackets, sizeIndexFromManifest, }
 import { buildFileAnchorSummary } from "../orchestrator/fileAnchors.js";
 import { resolveFreshSessionProviderName } from "../providers/index.js";
 import { loadSessionConfig } from "../supervisor/sessionConfig.js";
-import { scheduleWave, buildProviderModelKey, resolveHostModel, readQuotaState, resolveHostActiveSubagentLimit, lookupDiscoveredLimits, mergeDiscoveredLimits, } from "../quota/index.js";
+import { computeDispatchCapacity, buildProviderModelKey, resolveHostModel, readQuotaState, resolveHostActiveSubagentLimit, lookupDiscoveredLimits, mergeDiscoveredLimits, } from "../quota/index.js";
 import { taskResultPath, packetPromptPath, artifactNameForId, toBase64Url, fromBase64Url, getFlag, } from "./args.js";
 export const LARGE_FILE_PACKET_TARGET_LINES = 2500;
 export const SMALL_MODEL_HINT_MAX_LINES = 500;
@@ -274,7 +274,17 @@ export async function prepareDispatchArtifacts(params) {
     // FINDING-011: single-worker canary. On first contact with a multi-packet run,
     // dispatch only the top packet; the held-back packets' tasks keep no result
     // file, so they re-enter `dispatchTasks` on the next call (fan-out).
-    const firstContact = priorResultTaskIds.size === 0;
+    //
+    // Graduation signal: the canary fires only on the FIRST dispatch of a run and
+    // then fans out. "First dispatch" is recorded directly by active-dispatch.json
+    // (written at the end of every prepareDispatch), so derive it from
+    // priorActiveDispatch.run_id. The previous signal — "no pending task has a
+    // result file" (priorResultTaskIds.size === 0) — silently broke: merge-and-ingest
+    // prunes accepted task_ids out of pending-audit-tasks.json, so post-canary the
+    // still-pending tasks have no result files, priorResultTaskIds stayed empty, and
+    // the canary re-fired every cycle (1 packet forever, never reaching fan-out).
+    const priorDispatchThisRun = priorActiveDispatch?.run_id === runId;
+    const firstContact = !priorDispatchThisRun;
     const canaryEnabled = sessionConfig.dispatch?.canary !== false; // default on
     const doCanary = firstContact && canaryEnabled && packets.length > 1;
     const canaryPacketId = doCanary ? packets[0].packet_id : null;
@@ -554,17 +564,27 @@ export async function prepareDispatchArtifacts(params) {
         DEFAULT_EMPIRICAL_HALF_LIFE_HOURS;
     const quotaSource = buildQuotaSource({ halfLifeHours });
     const quotaSourceSnapshot = await quotaSource.queryCurrentUsage(quotaProviderKey).catch(() => null);
-    const waveSchedule = scheduleWave({
+    // Size the dispatch just-in-time against the full pending layout (one token
+    // estimate per emitted packet) and the host pool's current limits, rather than
+    // a preset wave size. `parallel_workers` is no longer the ambition — it is
+    // folded into hostConcurrencyLimit as a ceiling (resolveHostActiveSubagentLimit).
+    // Today there is a single pool (the conversation host's subagents); a
+    // heterogeneous provider pool slots in here without changing the call.
+    const hostPool = {
+        id: quotaProviderKey,
         providerName: quotaProviderName,
-        sessionConfig,
         hostModel,
-        requestedConcurrency: sessionConfig.parallel_workers ?? plan.length,
-        estimatedSlotTokens: perPacketTokens,
-        quotaStateEntry,
         hostConcurrencyLimit,
+        quotaStateEntry,
         discoveredLimits,
         quotaSourceSnapshot,
+    };
+    const dispatchCapacity = computeDispatchCapacity({
+        pools: [hostPool],
+        sessionConfig,
+        pendingItemTokens: perPacketTokens,
     });
+    const waveSchedule = dispatchCapacity.primary.schedule;
     const dispatchQuota = {
         contract_version: "audit-code-dispatch-quota/v1alpha2",
         run_id: runId,
@@ -573,9 +593,9 @@ export async function prepareDispatchArtifacts(params) {
         confidence: waveSchedule.confidence,
         source: waveSchedule.source,
         host_concurrency_limit: waveSchedule.host_concurrency_limit,
-        wave_size: waveSchedule.wave_size,
-        estimated_wave_tokens: waveSchedule.estimated_wave_tokens,
-        cooldown_until: waveSchedule.cooldown_until,
+        wave_size: dispatchCapacity.total_slots,
+        estimated_wave_tokens: dispatchCapacity.estimated_wave_tokens,
+        cooldown_until: dispatchCapacity.cooldown_until,
         quota_source_snapshot: waveSchedule.quota_source_snapshot ?? null,
         backoff_state: null,
     };
@@ -642,7 +662,7 @@ export async function prepareDispatchArtifacts(params) {
     // FINDING-012: pure-arithmetic fan-out summary the loader can gate on.
     const fanout = computeDispatchFanout({
         agentCount: plan.length,
-        waveSize: waveSchedule.wave_size,
+        waveSize: dispatchCapacity.total_slots,
         confirmThreshold: sessionConfig.dispatch?.confirm_threshold,
     });
     return {
@@ -652,7 +672,7 @@ export async function prepareDispatchArtifacts(params) {
         packet_count: plan.length,
         task_count: orderedTasks.length,
         skipped_task_count: priorResultTaskIds.size,
-        wave_size: waveSchedule.wave_size,
+        wave_size: dispatchCapacity.total_slots,
         phase,
         canary_packet_id: canaryPacketId,
         agent_count: fanout.agent_count,

package/dist/cli/mergeAndIngestCommand.js

@@ -65,6 +65,13 @@ export async function cmdMergeAndIngest(argv) {
     }
     const passing = [];
     const failing = [];
+    // Pending tasks that were NOT dispatched this round (canary emitted only the
+    // top packet, or a budget cap deferred packets). They are not failures — they
+    // re-enter dispatch on the next round — so they are tracked separately and must
+    // never inflate rejected_count, force a non-zero exit, or gate the completion
+    // marker. Conflating them with failures is what produced the spurious
+    // "180 failed" + exit-2 on every canary merge.
+    const notDispatched = [];
     const seenTaskIds = new Set();
     const spuriousFiles = [];
     const fallbackByTaskId = new Map();
@@ -110,10 +117,9 @@ export async function cmdMergeAndIngest(argv) {
     for (const task of allTasks) {
         const entry = entryByTaskId.get(task.task_id);
         if (!entry) {
-            failing.push({
-                task_id: task.task_id,
-                errors: ["Missing dispatch result-map entry for assigned task."],
-            });
+            // No result-map entry => this pending task was not dispatched this round.
+            // Leave it pending for the next dispatch; it is not a failure.
+            notDispatched.push(task.task_id);
             continue;
         }
         const filePath = entry.result_path;
@@ -180,10 +186,15 @@ export async function cmdMergeAndIngest(argv) {
         // fact intact and the first merge had simply already succeeded.
         throw new Error(`All ${failing.length} assigned task result(s) were missing or invalid; blocked before ingestion. See ${failedTasksPath}`);
     }
-    await writeJsonFile(auditResultsPath, passing);
     const findingCount = passing.reduce((sum, result) => sum + result.findings.length, 0);
     let result = null;
     if (passing.length > 0) {
+        // Write the transient results file only when there is something to ingest.
+        // Writing [] unconditionally would, on a stray re-invocation where every
+        // accepted task was already pruned from the pending set (passing=0,
+        // notDispatched>0), truncate a prior run-results.json — the same data loss
+        // the failing>0 guard above prevents but a notDispatched-only merge bypasses.
+        await writeJsonFile(auditResultsPath, passing);
         result = await runAuditStep({
             root: workerTask.repo_root,
             artifactsDir,
@@ -197,7 +208,11 @@ export async function cmdMergeAndIngest(argv) {
     try {
         const dispatch = await readJsonFile(activeDispatchPath);
         if (dispatch.run_id === runId) {
-            dispatch.status = failing.length > 0 ? "active" : "merged";
+            // "merged" only when this round is fully drained: every dispatched task
+            // accepted AND nothing held back. A canary (notDispatched > 0) stays
+            // "active" because the fan-out round on the same run-id still has to merge.
+            dispatch.status =
+                failing.length > 0 || notDispatched.length > 0 ? "active" : "merged";
             await writeJsonFile(activeDispatchPath, dispatch);
         }
     }
@@ -221,7 +236,11 @@ export async function cmdMergeAndIngest(argv) {
         process.stderr.write(`[merge-and-ingest] ${passing.length} accepted, ${failing.length} failed. ` +
             `Retry packets: ${failedPacketIds.join(", ")}\n`);
     }
-    const status = failing.length > 0
+    // "partial" whenever work remains for this run — either genuine dispatched
+    // failures (failing) or tasks held back this round (notDispatched). The exit
+    // code below distinguishes the two: only genuine failures exit non-zero, so a
+    // canary reports status "partial" but exits 0 (progressing, not an error).
+    const status = failing.length > 0 || notDispatched.length > 0
         ? "partial"
         : (result?.progress_made ? "completed" : "no_progress");
     const workerResult = buildWorkerResult({
@@ -241,6 +260,7 @@ export async function cmdMergeAndIngest(argv) {
         status,
         accepted_count: passing.length,
         rejected_count: failing.length,
+        not_dispatched_count: notDispatched.length,
         spurious_file_count: spuriousFiles.length,
         finding_count: findingCount,
         audit_results_path: auditResultsPath,
@@ -254,9 +274,11 @@ export async function cmdMergeAndIngest(argv) {
     };
     // Record a completion marker for a fully-merged run so a stray re-invocation
     // replays this summary (above) instead of re-processing — and possibly
-    // clobbering — terminal state. Only on full success: a partial merge is meant
-    // to be re-run after the failed packets are retried, so it stays replayable.
-    if (failing.length === 0) {
+    // clobbering — terminal state. Only when this round is fully drained: genuine
+    // failures stay replayable for retry, and a canary (notDispatched > 0) must NOT
+    // be marked complete or the fan-out merge on the same run-id would short-circuit
+    // to an idempotent replay and silently drop the fan-out results.
+    if (failing.length === 0 && notDispatched.length === 0) {
         await writeJsonFile(mergeCompletePath, summaryPayload);
     }
     console.log(JSON.stringify(summaryPayload, null, 2));

package/dist/cli/prompts.js

@@ -1,3 +1,4 @@
+import { DO_NOT_TOKEN_WRAP_NOTE } from "@audit-tools/shared";
 import { renderCommand } from "./args.js";
 /**
  * Token prefix the host should use to re-invoke the backend in generated
@@ -107,6 +108,8 @@ export function renderDispatchReviewPrompt(params) {
         "",
         "**After all waves complete:**",
         "",
+        DO_NOT_TOKEN_WRAP_NOTE,
+        "",
         "Run exactly:",
         "",
         `  ${mergeCommand}`,

package/dist/quota/index.d.ts

@@ -3,6 +3,8 @@ export { resolveLimits, lookupKnownModel, classifyProvider, readQuotaState, writ
 export type { LimitResolutionResult, ResolveLimitsOptions, ProviderType, ResolvedLimits, LimitSource, LimitConfidence, HostConcurrencyLimit, HostConcurrencyLimitSource, QuotaState, QuotaStateEntry, ConcurrencyBucket, WaveSchedule, BackoffState, ObservedWaveOutcome, RateLimitDetectionResult, SlidingWindowResult, QuotaSource, QuotaUsageSnapshot, ErrorParser, } from "@audit-tools/shared";
 export { scheduleWave, buildProviderModelKey, resolveHostModel } from "@audit-tools/shared";
 export type { ScheduleWaveOptions } from "@audit-tools/shared";
+export { computeDispatchCapacity } from "@audit-tools/shared";
+export type { CapacityPool, PoolDispatchAllocation, DispatchCapacity, } from "@audit-tools/shared";
 export { detectHostActiveSubagentLimit, resolveHostActiveSubagentLimit, } from "./hostLimits.js";
 export { lookupDiscoveredLimits, updateDiscoveredLimits, mergeDiscoveredLimits, readDiscoveredLimitsCache, writeDiscoveredLimitsCache, } from "./discoveredLimits.js";
 export type { DiscoveredRateLimits, DiscoveredLimitsCache, DiscoveredLimitsCacheEntry } from "./discoveredLimits.js";

package/dist/quota/index.js

@@ -4,6 +4,10 @@ export { resolveLimits, lookupKnownModel, classifyProvider, readQuotaState, writ
 // both orchestrators). Auditor passes its discovered-limits via the structural
 // DiscoveredRateLimitsInput the shared scheduler accepts.
 export { scheduleWave, buildProviderModelKey, resolveHostModel } from "@audit-tools/shared";
+// Capacity model: the JIT, multi-pool-capable layer both orchestrators size
+// dispatch with. Single host pool today; heterogeneous provider pools slot in
+// without changing call sites.
+export { computeDispatchCapacity } from "@audit-tools/shared";
 // Auditor-specific: discovered limits, header extraction
 export { detectHostActiveSubagentLimit, resolveHostActiveSubagentLimit, } from "./hostLimits.js";
 export { lookupDiscoveredLimits, updateDiscoveredLimits, mergeDiscoveredLimits, readDiscoveredLimitsCache, writeDiscoveredLimitsCache, } from "./discoveredLimits.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auditor-lambda",
-  "version": "0.10.0",
+  "version": "0.10.2",
   "private": false,
   "description": "Portable hybrid code-auditing framework for arbitrary repositories.",
   "type": "module",