auditor-lambda 0.10.2 → 0.10.3

package/dist/cli/mergeAndIngestCommand.js

@@ -1,11 +1,12 @@
-import { readFile, readdir } from "node:fs/promises";
+import { readFile, readdir, rm } from "node:fs/promises";
+import { existsSync } from "node:fs";
 import { join, resolve } from "node:path";
 import { isFileMissingError, readJsonFile, writeJsonFile } from "@audit-tools/shared";
 import { validateAuditResults } from "../validation/auditResults.js";
 import { runAuditStep } from "./auditStep.js";
 import { DISPATCH_RESULT_MAP_FILENAME, ACTIVE_DISPATCH_FILENAME, loadDispatchResultMap, entriesByTaskId, buildPendingAuditTasks, } from "./dispatch.js";
 import { addFileLineCountHints } from "./lineIndex.js";
-import { isCanonicalResultFilename, getArtifactsDir, getFlag } from "./args.js";
+import { isCanonicalResultFilename, taskResultPath, getArtifactsDir, getFlag } from "./args.js";
 import { buildWorkerResult } from "./workerResult.js";
 import { PACKET_SCHEMA_FILENAMES } from "../io/runArtifacts.js";
 // Schema pointer files prepare-dispatch copies into task-results/ for optional
@@ -38,8 +39,31 @@ export async function cmdMergeAndIngest(argv) {
             throw e;
     }
     if (priorSummary) {
-        console.log(JSON.stringify({ ...priorSummary, idempotent_replay: true }, null, 2));
-        return;
+        // A completion marker can go stale. Selective deepening appends new pending
+        // tasks to the SAME run-id, and — in the no-progress-loop bug — their answers
+        // already sit on disk under canonical per-task names while the marker says the
+        // run is done. If any pending task has a recoverable on-disk result, the marker
+        // no longer reflects reality: discard it and re-process so those answers ingest
+        // instead of replaying a no-op forever. A genuinely terminal run (no pending
+        // tasks, or pending tasks not yet answered — e.g. a new round handled under a
+        // different run-id) still replays cleanly.
+        let pendingWithResults = 0;
+        try {
+            const pending = await readJsonFile(tasksPath);
+            for (const task of pending) {
+                if (existsSync(taskResultPath(taskResultsDir, task.task_id))) {
+                    pendingWithResults++;
+                }
+            }
+        }
+        catch { /* no pending-tasks file — treat as terminal and replay */ }
+        if (pendingWithResults === 0) {
+            console.log(JSON.stringify({ ...priorSummary, idempotent_replay: true }, null, 2));
+            return;
+        }
+        process.stderr.write(`[merge-and-ingest] completion marker for ${runId} is stale: ` +
+            `${pendingWithResults} pending task(s) have un-ingested on-disk results; re-processing.\n`);
+        await rm(mergeCompletePath, { force: true });
     }
     const workerTask = await readJsonFile(taskPath);
     const resultMap = await loadDispatchResultMap(runDir);
@@ -116,36 +140,48 @@ export async function cmdMergeAndIngest(argv) {
     }
     for (const task of allTasks) {
         const entry = entryByTaskId.get(task.task_id);
-        if (!entry) {
-            // No result-map entry => this pending task was not dispatched this round.
-            // Leave it pending for the next dispatch; it is not a failure.
-            notDispatched.push(task.task_id);
-            continue;
-        }
-        const filePath = entry.result_path;
         let obj;
-        try {
-            obj = JSON.parse(await readFile(filePath, "utf8"));
-        }
-        catch (e) {
-            if (isFileMissingError(e)) {
-                const fallback = fallbackByTaskId.get(task.task_id);
-                if (fallback) {
-                    process.stderr.write(`[merge-and-ingest] Recovered result for '${task.task_id}' from unexpected file (matched by task_id)\n`);
-                    obj = fallback;
+        if (entry) {
+            const filePath = entry.result_path;
+            try {
+                obj = JSON.parse(await readFile(filePath, "utf8"));
+            }
+            catch (e) {
+                if (isFileMissingError(e)) {
+                    const fallback = fallbackByTaskId.get(task.task_id);
+                    if (fallback) {
+                        process.stderr.write(`[merge-and-ingest] Recovered result for '${task.task_id}' from unexpected file (matched by task_id)\n`);
+                        obj = fallback;
+                    }
+                    else {
+                        failing.push({
+                            task_id: task.task_id,
+                            errors: ["Missing audit result for assigned task."],
+                        });
+                        continue;
+                    }
                 }
                 else {
-                    failing.push({
-                        task_id: task.task_id,
-                        errors: ["Missing audit result for assigned task."],
-                    });
+                    failing.push({ task_id: task.task_id, errors: [`Invalid JSON: ${e.message}`] });
                     continue;
                 }
             }
-            else {
-                failing.push({ task_id: task.task_id, errors: [`Invalid JSON: ${e.message}`] });
+        }
+        else {
+            // No result-map entry => this pending task was not dispatched this round.
+            // But its answer may already exist on disk under a canonical per-task name
+            // (e.g. a selective-deepening task answered in a prior round whose dispatch
+            // manifest was later regenerated empty — the no-progress loop this guards
+            // against). Recover it by task_id so it ingests instead of looping forever
+            // as "pending"; only when no such file exists is the task genuinely held
+            // back for the next dispatch (not a failure).
+            const fallback = fallbackByTaskId.get(task.task_id);
+            if (!fallback) {
+                notDispatched.push(task.task_id);
                 continue;
             }
+            process.stderr.write(`[merge-and-ingest] Recovered un-dispatched task '${task.task_id}' from on-disk result file (matched by task_id)\n`);
+            obj = fallback;
         }
         const record = obj && typeof obj === "object" && !Array.isArray(obj)
             ? obj
@@ -278,6 +314,12 @@ export async function cmdMergeAndIngest(argv) {
     // failures stay replayable for retry, and a canary (notDispatched > 0) must NOT
     // be marked complete or the fan-out merge on the same run-id would short-circuit
     // to an idempotent replay and silently drop the fan-out results.
+    //
+    // Selective deepening appends new pending tasks to the SAME run-id; this marker
+    // can therefore go stale once those tasks are later dispatched and answered. The
+    // replay guard at the top detects that (a pending task with an on-disk result)
+    // and re-processes, so a premature marker self-heals instead of stranding the
+    // deepening answers behind an idempotent replay (the no-progress loop).
     if (failing.length === 0 && notDispatched.length === 0) {
         await writeJsonFile(mergeCompletePath, summaryPayload);
     }

package/dist/reporting/findingIdentity.d.ts

@@ -0,0 +1,21 @@
+import type { Finding } from "../types.js";
+/**
+ * Re-key finalized findings with globally-unique, content-derived ids at the
+ * synthesis boundary.
+ *
+ * Worker packets assign locally-scoped ids (e.g. `MNT-001`) that collide across
+ * packets once merged, which breaks `audit-findings.json` as a machine contract:
+ * `buildWorkBlocks` keys its union-find on `id` (so colliding ids fuse unrelated
+ * findings into one block), and `work_blocks.finding_ids` / theme `finding_ids` /
+ * the remediator's per-finding addressing can no longer resolve a single finding.
+ *
+ * The id is `<LENS_PREFIX>-<sha256(content)[:8]>`, deterministic and stable so a
+ * re-synthesis of the same findings produces the same ids. A vanishingly rare
+ * hash collision between two *distinct* findings is broken deterministically with
+ * a numeric suffix (findings arrive in mergeFindings()' stable order).
+ *
+ * `related_findings`, when present, referenced the old colliding ids and cannot
+ * be remapped unambiguously, so it is dropped rather than left dangling. (It is
+ * unpopulated by every current extractor.)
+ */
+export declare function assignStableFindingIds(findings: Finding[]): Finding[];

package/dist/reporting/findingIdentity.js

@@ -0,0 +1,72 @@
+import { createHash } from "node:crypto";
+// Stable lens -> id prefix. The lens is the canonical addressing axis, so the
+// prefix always matches it (no convention drift) and the content hash that
+// follows guarantees global uniqueness.
+const LENS_ID_PREFIX = {
+    correctness: "COR",
+    architecture: "ARC",
+    maintainability: "MNT",
+    security: "SEC",
+    reliability: "REL",
+    performance: "PRF",
+    data_integrity: "DAT",
+    tests: "TST",
+    operability: "OPR",
+    config_deployment: "CFG",
+    observability: "OBS",
+};
+/**
+ * A stable signature of a finding's identity-bearing content. The same logical
+ * finding yields the same signature across runs (so its id is reproducible),
+ * while two distinct findings — which only coexist after surviving merge and
+ * dedup with different content — yield different signatures.
+ */
+function contentSignature(finding) {
+    const files = finding.affected_files
+        .map((file) => `${file.path}:${file.line_start ?? ""}:${file.line_end ?? ""}:${file.symbol ?? ""}`)
+        .sort()
+        .join(",");
+    return [
+        finding.lens.trim().toLowerCase(),
+        finding.category.trim().toLowerCase(),
+        finding.title.trim().toLowerCase(),
+        files,
+    ].join("|");
+}
+/**
+ * Re-key finalized findings with globally-unique, content-derived ids at the
+ * synthesis boundary.
+ *
+ * Worker packets assign locally-scoped ids (e.g. `MNT-001`) that collide across
+ * packets once merged, which breaks `audit-findings.json` as a machine contract:
+ * `buildWorkBlocks` keys its union-find on `id` (so colliding ids fuse unrelated
+ * findings into one block), and `work_blocks.finding_ids` / theme `finding_ids` /
+ * the remediator's per-finding addressing can no longer resolve a single finding.
+ *
+ * The id is `<LENS_PREFIX>-<sha256(content)[:8]>`, deterministic and stable so a
+ * re-synthesis of the same findings produces the same ids. A vanishingly rare
+ * hash collision between two *distinct* findings is broken deterministically with
+ * a numeric suffix (findings arrive in mergeFindings()' stable order).
+ *
+ * `related_findings`, when present, referenced the old colliding ids and cannot
+ * be remapped unambiguously, so it is dropped rather than left dangling. (It is
+ * unpopulated by every current extractor.)
+ */
+export function assignStableFindingIds(findings) {
+    const used = new Set();
+    return findings.map((finding) => {
+        const prefix = LENS_ID_PREFIX[finding.lens.trim().toLowerCase()] ?? "FND";
+        const hash = createHash("sha256")
+            .update(contentSignature(finding))
+            .digest("hex")
+            .slice(0, 8);
+        let id = `${prefix}-${hash}`;
+        for (let n = 2; used.has(id); n++) {
+            id = `${prefix}-${hash}-${n}`;
+        }
+        used.add(id);
+        const reKeyed = { ...finding, id };
+        delete reKeyed.related_findings;
+        return reKeyed;
+    });
+}

package/dist/reporting/synthesis.js

@@ -1,6 +1,7 @@
 import { AUDITOR_REPORT_MARKER } from "@audit-tools/shared";
 import { buildWorkBlocks } from "./workBlocks.js";
 import { mergeFindings } from "./mergeFindings.js";
+import { assignStableFindingIds } from "./findingIdentity.js";
 /** Contract version stamped onto the canonical `audit-findings.json`. */
 export const AUDIT_FINDINGS_CONTRACT_VERSION = "audit-tools/audit-findings/v1";
 function countBy(items, selectKey) {
@@ -37,7 +38,11 @@ function formatSeverityList(summary) {
     return parts.length > 0 ? parts.join(", ") : "none";
 }
 export function buildAuditReportModel(params) {
-    const findings = mergeFindings(params.results, params.runtimeValidationReport, params.externalAnalyzerResults, params.designAssessment);
+    // Re-key the finalized findings with globally-unique, content-derived ids
+    // before anything addresses them by id. buildWorkBlocks keys its union-find on
+    // finding.id, so the locally-scoped, collision-prone ids worker packets emit
+    // must be replaced here or unrelated findings fuse into one block.
+    const findings = assignStableFindingIds(mergeFindings(params.results, params.runtimeValidationReport, params.externalAnalyzerResults, params.designAssessment));
     const workBlocks = buildWorkBlocks({
         findings,
         unitManifest: params.unitManifest,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auditor-lambda",
-  "version": "0.10.2",
+  "version": "0.10.3",
   "private": false,
   "description": "Portable hybrid code-auditing framework for arbitrary repositories.",
   "type": "module",

package/schemas/finding.schema.json

@@ -50,7 +50,8 @@
           "path": { "type": "string" },
           "line_start": { "type": "integer", "minimum": 1 },
           "line_end": { "type": "integer", "minimum": 1 },
-          "symbol": { "type": "string" }
+          "symbol": { "type": "string" },
+          "hash_at_plan_time": { "type": "string" }
         },
         "additionalProperties": false
       }