auditor-lambda 0.10.2 → 0.10.7

package/dist/extractors/graphManifestEdges/yamlPaths.js

@@ -0,0 +1,89 @@
+import { posix } from "node:path";
+import { graphEdge, normalizeGraphPath, resolveCandidate } from "../graphPathUtils.js";
+import { stripYamlComment, unquoteYamlScalar } from "./yaml.js";
+export const YAML_PATH_REFERENCE_LINK_CONFIDENCE = 0.8;
+export const YAML_CONFIG_EXTENSIONS = [".yaml", ".yml", ".json", ".toml"];
+function isYamlSourcePath(path) {
+    const lower = normalizeGraphPath(path).toLowerCase();
+    return lower.endsWith(".yaml") || lower.endsWith(".yml");
+}
+function looksLikeConfigFilePath(value) {
+    if (!value.includes("/"))
+        return false;
+    if (/^[a-z][a-z0-9+.-]*:/i.test(value))
+        return false;
+    if (value.startsWith("/"))
+        return false;
+    const lower = value.toLowerCase();
+    return YAML_CONFIG_EXTENSIONS.some((ext) => lower.endsWith(ext));
+}
+function extractYamlScalarValues(content) {
+    const values = [];
+    for (const rawLine of content.split(/\r?\n/)) {
+        const withoutComment = stripYamlComment(rawLine);
+        const trimmed = withoutComment.trim();
+        if (trimmed.length === 0)
+            continue;
+        let rawValue;
+        // key: value
+        const keyValueMatch = /^[^:[\]{}]+:\s+(.+)$/.exec(trimmed);
+        if (keyValueMatch?.[1]) {
+            rawValue = keyValueMatch[1].trim();
+        }
+        else {
+            // - value (list item)
+            const listItemMatch = /^-\s+(.+)$/.exec(trimmed);
+            if (listItemMatch?.[1]) {
+                rawValue = listItemMatch[1].trim();
+            }
+        }
+        if (!rawValue)
+            continue;
+        const value = unquoteYamlScalar(rawValue);
+        if (looksLikeConfigFilePath(value)) {
+            values.push(value);
+        }
+    }
+    return values;
+}
+function resolveYamlPathReference(fromPath, specifier, pathLookup) {
+    const normalized = normalizeGraphPath(specifier.replace(/^\.\//, ""));
+    if (normalized.length === 0)
+        return undefined;
+    // Try as repo-root-relative first (many YAML configs use repo-root paths)
+    const repoRootTarget = resolveCandidate(normalized, pathLookup);
+    if (repoRootTarget)
+        return repoRootTarget;
+    // Fallback: relative to the YAML file's directory
+    const fromDir = posix.dirname(normalizeGraphPath(fromPath));
+    if (fromDir !== ".") {
+        const dirRelative = posix.join(fromDir, normalized);
+        const dirTarget = resolveCandidate(dirRelative, pathLookup);
+        if (dirTarget)
+            return dirTarget;
+    }
+    return undefined;
+}
+export function extractYamlPathReferenceEdges(fromPath, content, pathLookup) {
+    if (!isYamlSourcePath(fromPath))
+        return [];
+    const values = extractYamlScalarValues(content);
+    if (values.length === 0)
+        return [];
+    const edges = [];
+    const seen = new Set();
+    for (const value of values) {
+        const target = resolveYamlPathReference(fromPath, value, pathLookup);
+        if (!target || target === fromPath || seen.has(target))
+            continue;
+        seen.add(target);
+        edges.push(graphEdge({
+            from: fromPath,
+            to: target,
+            kind: "yaml-path-reference-link",
+            confidence: YAML_PATH_REFERENCE_LINK_CONFIDENCE,
+            reason: `YAML file references path '${value}'.`,
+        }));
+    }
+    return edges;
+}

package/dist/extractors/graphPythonImports.js

@@ -83,7 +83,7 @@ function pythonLogicalLines(content) {
         const continued = stripped.endsWith("\\");
         const line = continued ? stripped.slice(0, -1).trimEnd() : stripped;
         pending = pending.length > 0 ? `${pending} ${line}` : line;
-        parenDepth += pythonParenDelta(line);
+        parenDepth = Math.max(0, parenDepth + pythonParenDelta(line));
         if (!continued && parenDepth <= 0) {
             logicalLines.push(pending.replace(/\s+/g, " ").trim());
             pending = "";
@@ -337,26 +337,10 @@ export function extractPythonImportEdges(fromPath, content, pathLookup) {
             continue;
         }
         const moduleSpecifier = fromImportMatch[1] ?? "";
-        if (!isPythonModuleSpecifier(moduleSpecifier)) {
-            continue;
-        }
-        const importedNames = splitPythonImportList(fromImportMatch[2] ?? "")
-            .map(stripPythonAlias)
-            .filter((name) => name !== "*" && isPythonIdentifier(name));
-        const submoduleTargets = importedNames
-            .map((name) => appendPythonImportedSpecifier(moduleSpecifier, name))
-            .map((specifier) => ({
-            specifier,
-            target: resolvePythonModuleSpecifier(fromPath, specifier, pathLookup),
-        }))
-            .filter((item) => item.target);
-        if (submoduleTargets.length > 0) {
-            for (const { specifier, target } of submoduleTargets) {
-                addPythonImportEdge(edges, fromPath, target, "python-from-import", specifier);
-            }
-            continue;
+        const rawNames = splitPythonImportList(fromImportMatch[2] ?? "").map(stripPythonAlias);
+        for (const { specifier, target } of resolvePythonFromImportTargets(fromPath, moduleSpecifier, rawNames, pathLookup)) {
+            addPythonImportEdge(edges, fromPath, target, "python-from-import", specifier);
         }
-        addPythonImportEdge(edges, fromPath, resolvePythonModuleSpecifier(fromPath, moduleSpecifier, pathLookup), "python-from-import", moduleSpecifier);
     }
     return edges;
 }

package/dist/extractors/pathPatterns.js

@@ -204,7 +204,7 @@ export function isGeneratedTestArtifactPath(normalized) {
     return splitSegments(normalized).some((segment) => segment.startsWith(".test-") && segment.endsWith("-artifacts"));
 }
 export function isAuditArtifactPath(normalized) {
-    return splitSegments(normalized).some((segment) => segment.startsWith(".audit-artifacts"));
+    return hasSegment(normalized, ".audit-artifacts");
 }
 export function isTestPath(normalized) {
     const segments = splitSegments(normalized);
@@ -259,20 +259,10 @@ export function isSurfacePath(normalized) {
         hasToken(normalized, ["cli"]));
 }
 export function isBackgroundSurfacePath(normalized) {
-    return hasToken(normalized, ["worker", "workers", "job", "jobs"]);
+    return hasToken(normalized, CONCURRENCY_KEYWORDS);
 }
 export function isNetworkSurfacePath(normalized) {
-    return (hasSegment(normalized, "api") ||
-        hasToken(normalized, [
-            "route",
-            "routes",
-            "controller",
-            "controllers",
-            "handler",
-            "handlers",
-            "endpoint",
-            "endpoints",
-        ]));
+    return hasSegment(normalized, "api") || hasToken(normalized, INTERFACE_KEYWORDS);
 }
 export function isBillingPath(normalized) {
     return hasToken(normalized, BILLING_KEYWORDS);

package/dist/io/artifacts.d.ts

@@ -12,7 +12,7 @@ import type { DesignAssessment } from "../types/designAssessment.js";
 import type { AnalyzerCapabilityRecord } from "../types/analyzerCapability.js";
 import type { AuditScopeManifest } from "../types/auditScope.js";
 import type { ToolingManifest } from "../types/toolingManifest.js";
-import type { ActiveDispatchState } from "../cli/dispatch.js";
+import type { ActiveDispatchState } from "../types/activeDispatch.js";
 type ArtifactPayloadMap = {
     repo_manifest: RepoManifest;
     file_disposition: FileDisposition;

package/dist/io/artifacts.js

@@ -149,8 +149,11 @@ export async function promoteFinalAuditReport(params, options = {}) {
     try {
         await copy(join(params.artifactsDir, "audit-findings.json"), join(params.repoRoot, "audit-findings.json"), { force: true });
     }
-    catch {
+    catch (error) {
         // audit-findings.json is optional output; absence must not fail promotion.
+        // Log so operators can distinguish a partial promotion from a clean one.
+        warn(`audit-code: could not promote audit-findings.json to ${join(params.repoRoot, "audit-findings.json")}: ` +
+            (error instanceof Error ? error.message : String(error)));
     }
     try {
         await remove(params.artifactsDir, { recursive: true, force: true });

package/dist/io/runArtifacts.d.ts

@@ -21,6 +21,12 @@ export declare function getRunPaths(artifactsDir: string, runId: string): RunPat
 export declare function ensureSupervisorDirs(artifactsDir: string): Promise<void>;
 export declare function writeWorkerTaskFiles(task: WorkerTask, prompt: string, paths: RunPaths, artifactsDir: string, currentTasks?: AuditTask[], options?: {
     updateDispatch?: boolean;
+}, log?: {
+    event: (name: string, data: Record<string, unknown>) => void;
+}): Promise<void>;
+export declare function writeDispatchBatchFiles(artifactsDir: string, runs: DispatchBatchRun[], currentTasks: AuditTask[], log?: {
+    event: (name: string, data: Record<string, unknown>) => void;
+}): Promise<void>;
+export declare function clearDispatchFiles(artifactsDir: string, log?: {
+    event: (name: string, data: Record<string, unknown>) => void;
 }): Promise<void>;
-export declare function writeDispatchBatchFiles(artifactsDir: string, runs: DispatchBatchRun[], currentTasks: AuditTask[]): Promise<void>;
-export declare function clearDispatchFiles(artifactsDir: string): Promise<void>;

package/dist/io/runArtifacts.js

@@ -19,16 +19,19 @@ export const PACKET_SCHEMA_FILENAMES = [
     "finding.schema.json",
     "audit_task.schema.json",
 ];
+async function copySchemaFiles(targetDir, entries) {
+    await mkdir(targetDir, { recursive: true });
+    for (const entry of entries) {
+        await writeFile(join(targetDir, entry.name), await readFile(entry.srcPath, "utf8"), "utf8");
+    }
+}
 /**
  * Copy {@link PACKET_SCHEMA_FILENAMES} into `targetDir` under their canonical
  * filenames, making the AuditResult schema reachable from a dispatch run's
  * `task-results/` directory.
  */
 export async function writePacketSchemaFiles(targetDir, pkgRoot) {
-    await mkdir(targetDir, { recursive: true });
-    for (const name of PACKET_SCHEMA_FILENAMES) {
-        await writeFile(join(targetDir, name), await readFile(join(pkgRoot, "schemas", name), "utf8"), "utf8");
-    }
+    await copySchemaFiles(targetDir, PACKET_SCHEMA_FILENAMES.map(name => ({ srcPath: join(pkgRoot, "schemas", name), name })));
 }
 const CURRENT_TASK_FILENAME = "current-task.json";
 const CURRENT_PROMPT_FILENAME = "current-prompt.md";
@@ -87,10 +90,11 @@ async function writeDispatchSchemaFiles(artifactsDir) {
     // Ensure the dispatch dir exists: this is now written before the pointer
     // files (which formerly created it), and parallel-slot dispatch may reach
     // here before the canonical dispatch has run.
-    await mkdir(dispatchDir, { recursive: true });
-    await writeFile(join(dispatchDir, CURRENT_SCHEMA_FILENAME), await readFile(auditResultSchemaPath, "utf8"), "utf8");
-    await writeFile(join(dispatchDir, CURRENT_RESULTS_SCHEMA_FILENAME), await readFile(auditResultsSchemaPath, "utf8"), "utf8");
-    await writeFile(join(dispatchDir, CURRENT_FINDING_SCHEMA_FILENAME), await readFile(findingSchemaPath, "utf8"), "utf8");
+    await copySchemaFiles(dispatchDir, [
+        { srcPath: auditResultSchemaPath, name: CURRENT_SCHEMA_FILENAME },
+        { srcPath: auditResultsSchemaPath, name: CURRENT_RESULTS_SCHEMA_FILENAME },
+        { srcPath: findingSchemaPath, name: CURRENT_FINDING_SCHEMA_FILENAME },
+    ]);
 }
 function renderSingleTaskFallbackPrompt(task, auditTask) {
     const commandArgv = JSON.stringify(task.worker_command);
@@ -135,68 +139,88 @@ async function writeSingleTaskFallbackFiles(artifactsDir, task, currentTasks) {
     await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_SINGLE_TASK_FILENAME), firstTask);
     await writeFile(join(artifactsDir, "dispatch", CURRENT_SINGLE_TASK_PROMPT_FILENAME), renderSingleTaskFallbackPrompt(task, firstTask), "utf8");
 }
-export async function writeWorkerTaskFiles(task, prompt, paths, artifactsDir, currentTasks, options = {}) {
-    await mkdir(paths.runDir, { recursive: true });
-    await writeJsonFile(paths.taskPath, task);
-    await writeFile(paths.promptPath, prompt, "utf8");
-    await writeJsonFile(paths.statusPath, {
-        run_id: task.run_id,
-        status: "dispatched",
-    });
-    // The result schema files are always required by the worker, regardless of
-    // whether this run owns the shared "current dispatch" pointer files.
-    await writeDispatchSchemaFiles(artifactsDir);
-    // Parallel-slot dispatch passes updateDispatch:false so each slot does NOT
-    // clobber the shared current-task / current-prompt / current-tasks pointers
-    // (only the single canonical dispatch should own them). The default path
-    // (updateDispatch unset/true) refreshes those pointers and the single-task
-    // fallback.
-    const updateDispatch = options.updateDispatch !== false;
-    if (!updateDispatch) {
-        return;
+export async function writeWorkerTaskFiles(task, prompt, paths, artifactsDir, currentTasks, options = {}, log) {
+    try {
+        await mkdir(paths.runDir, { recursive: true });
+        await writeJsonFile(paths.taskPath, task);
+        await writeFile(paths.promptPath, prompt, "utf8");
+        await writeJsonFile(paths.statusPath, {
+            run_id: task.run_id,
+            status: "dispatched",
+        });
+        // The result schema files are always required by the worker, regardless of
+        // whether this run owns the shared "current dispatch" pointer files.
+        await writeDispatchSchemaFiles(artifactsDir);
+        // Parallel-slot dispatch passes updateDispatch:false so each slot does NOT
+        // clobber the shared current-task / current-prompt / current-tasks pointers
+        // (only the single canonical dispatch should own them). The default path
+        // (updateDispatch unset/true) refreshes those pointers and the single-task
+        // fallback.
+        const updateDispatch = options.updateDispatch !== false;
+        if (!updateDispatch) {
+            return;
+        }
+        await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASK_FILENAME), task);
+        await writeFile(join(artifactsDir, "dispatch", CURRENT_PROMPT_FILENAME), prompt, "utf8");
+        await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASKS_FILENAME), currentTasks ?? []);
+        await writeSingleTaskFallbackFiles(artifactsDir, task, currentTasks);
+    }
+    catch (err) {
+        log?.event("dispatch_io_error", {
+            run_id: task.run_id ?? null,
+            function: "writeWorkerTaskFiles",
+            error: String(err),
+        });
+        throw err;
     }
-    await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASK_FILENAME), task);
-    await writeFile(join(artifactsDir, "dispatch", CURRENT_PROMPT_FILENAME), prompt, "utf8");
-    await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASKS_FILENAME), currentTasks ?? []);
-    await writeSingleTaskFallbackFiles(artifactsDir, task, currentTasks);
 }
-export async function writeDispatchBatchFiles(artifactsDir, runs, currentTasks) {
-    const summary = {
-        contract_version: "audit-code-dispatch/v1alpha1",
-        mode: "parallel-batch",
-        run_count: runs.length,
-        current_tasks_path: join(artifactsDir, "dispatch", CURRENT_TASKS_FILENAME),
-        runs,
-    };
-    const promptLines = [
-        "# audit-code parallel dispatch",
-        "",
-        `This batch launched ${runs.length} deferred review run(s).`,
-        "Each run keeps its own task.json, prompt.md, result.json, and status.json under .audit-artifacts/runs/<run_id>/.",
-        "Use current-tasks.json for the combined task list. The per-run files below are operational references for launched workers; do not read per-run prompt or schema files unless debugging a failed dispatch.",
-        "",
-        "Runs:",
-        ...runs.flatMap((run) => [
-            `- ${run.run_id}`,
-            `  task: ${run.task_path}`,
-            `  prompt (worker-owned; do not read during normal orchestration): ${run.prompt_path}`,
-            `  result: ${run.result_path}`,
-            `  status: ${run.status_path}`,
-            ...(run.audit_results_path
-                ? [`  audit results: ${run.audit_results_path}`]
-                : []),
-            ...(run.pending_audit_tasks_path
-                ? [`  pending tasks: ${run.pending_audit_tasks_path}`]
-                : []),
-        ]),
-        "",
-    ];
-    await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASK_FILENAME), summary);
-    await writeFile(join(artifactsDir, "dispatch", CURRENT_PROMPT_FILENAME), promptLines.join("\n"), "utf8");
-    await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASKS_FILENAME), currentTasks);
-    await writeDispatchSchemaFiles(artifactsDir);
+export async function writeDispatchBatchFiles(artifactsDir, runs, currentTasks, log) {
+    try {
+        const summary = {
+            contract_version: "audit-code-dispatch/v1alpha1",
+            mode: "parallel-batch",
+            run_count: runs.length,
+            current_tasks_path: join(artifactsDir, "dispatch", CURRENT_TASKS_FILENAME),
+            runs,
+        };
+        const promptLines = [
+            "# audit-code parallel dispatch",
+            "",
+            `This batch launched ${runs.length} deferred review run(s).`,
+            "Each run keeps its own task.json, prompt.md, result.json, and status.json under .audit-artifacts/runs/<run_id>/.",
+            "Use current-tasks.json for the combined task list. The per-run files below are operational references for launched workers; do not read per-run prompt or schema files unless debugging a failed dispatch.",
+            "",
+            "Runs:",
+            ...runs.flatMap((run) => [
+                `- ${run.run_id}`,
+                `  task: ${run.task_path}`,
+                `  prompt (worker-owned; do not read during normal orchestration): ${run.prompt_path}`,
+                `  result: ${run.result_path}`,
+                `  status: ${run.status_path}`,
+                ...(run.audit_results_path
+                    ? [`  audit results: ${run.audit_results_path}`]
+                    : []),
+                ...(run.pending_audit_tasks_path
+                    ? [`  pending tasks: ${run.pending_audit_tasks_path}`]
+                    : []),
+            ]),
+            "",
+        ];
+        await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASK_FILENAME), summary);
+        await writeFile(join(artifactsDir, "dispatch", CURRENT_PROMPT_FILENAME), promptLines.join("\n"), "utf8");
+        await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASKS_FILENAME), currentTasks);
+        await writeDispatchSchemaFiles(artifactsDir);
+    }
+    catch (err) {
+        log?.event("dispatch_io_error", {
+            run_id: "batch",
+            function: "writeDispatchBatchFiles",
+            error: String(err),
+        });
+        throw err;
+    }
 }
-export async function clearDispatchFiles(artifactsDir) {
+export async function clearDispatchFiles(artifactsDir, log) {
     const targets = [
         CURRENT_TASK_FILENAME,
         CURRENT_PROMPT_FILENAME,
@@ -207,7 +231,17 @@ export async function clearDispatchFiles(artifactsDir) {
         CURRENT_RESULTS_SCHEMA_FILENAME,
         CURRENT_FINDING_SCHEMA_FILENAME,
     ];
-    for (const name of targets) {
-        await rm(join(artifactsDir, "dispatch", name), { force: true });
+    try {
+        for (const name of targets) {
+            await rm(join(artifactsDir, "dispatch", name), { force: true });
+        }
+    }
+    catch (err) {
+        log?.event("dispatch_io_error", {
+            run_id: "clear",
+            function: "clearDispatchFiles",
+            error: String(err),
+        });
+        throw err;
     }
 }

package/dist/io/toolingManifest.js

@@ -44,7 +44,8 @@ async function readPackageVersion() {
         const packageJson = JSON.parse(await readFile(packageJsonPath, "utf8"));
         return typeof packageJson.version === "string" ? packageJson.version : null;
     }
-    catch {
+    catch (error) {
+        process.stderr.write(`[audit-code] readPackageVersion: failed to read/parse ${packageJsonPath}: ${error instanceof Error ? error.message : String(error)}\n`);
         return null;
     }
 }

package/dist/orchestrator/advance.js

@@ -1,3 +1,4 @@
+import { randomUUID } from "node:crypto";
 import { decideNextStep, findObligation } from "./nextStep.js";
 import { deriveAuditState } from "./state.js";
 import { computeArtifactMetadata } from "./artifactMetadata.js";
@@ -36,8 +37,12 @@ function formatExecutorFailure(selectedExecutor, selectedObligation, error) {
         cause: error instanceof Error ? error : undefined,
     });
 }
+function createCorrelationId() {
+    return randomUUID().replace(/-/g, "").slice(0, 8);
+}
 export async function advanceAudit(bundle, options = {}) {
     const log = options.runLogger ?? RunLogger.disabled();
+    const correlationId = createCorrelationId();
     const decision = decideNextStep(bundle);
     const forcedExecutor = options.preferredExecutor ?? null;
     const selectedExecutor = forcedExecutor ?? decision.selected_executor;
@@ -47,6 +52,7 @@ export async function advanceAudit(bundle, options = {}) {
     log.event({
         phase: "advance",
         kind: "obligation",
+        correlationId,
         obligation: selectedObligation ?? undefined,
         note: decision.reason,
     });
@@ -74,6 +80,7 @@ export async function advanceAudit(bundle, options = {}) {
     log.event({
         phase: "advance",
         kind: "executor_start",
+        correlationId,
         obligation: selectedObligation ?? undefined,
         note: selectedExecutor,
     });
@@ -85,6 +92,7 @@ export async function advanceAudit(bundle, options = {}) {
                 break;
             }
             case "structure_executor":
+                // root is intentionally optional: present → buildGraphBundleFromFs, absent → manifest-only buildGraphBundle
                 run = await runStructureExecutor(bundle, options.root);
                 break;
             case "graph_enrichment_executor":
@@ -147,7 +155,32 @@ export async function advanceAudit(bundle, options = {}) {
                 run = runSyntaxResolutionExecutor(bundle, root);
                 break;
             }
+            // `agent` is a host-delegation executor: its review tasks are dispatched
+            // to the active LLM agent (or a worker) and ingested via
+            // result_ingestion_executor — advanceAudit cannot complete them
+            // deterministically. Callers (next-step / run-to-completion) route it
+            // through host delegation before reaching here; if it is dispatched into
+            // advanceAudit directly it falls through to the default branch, which
+            // returns a no-progress "selected but not yet dispatched" handoff rather
+            // than throwing. An explicit case keeps the registry⇄switch invariant
+            // (executor-registry-sync) honest about agent being handled here.
+            case "agent":
             default: {
+                log.event({
+                    phase: "advance",
+                    kind: "error",
+                    correlationId,
+                    obligation: selectedObligation ?? undefined,
+                    note: `Unrecognized executor: ${selectedExecutor}`,
+                });
+                log.event({
+                    phase: "advance",
+                    kind: "executor_end",
+                    correlationId,
+                    obligation: selectedObligation ?? undefined,
+                    note: selectedExecutor,
+                    duration_ms: Date.now() - executorStartedAt,
+                });
                 const state = deriveAuditState(bundle);
                 state.last_executor = selectedExecutor;
                 state.last_obligation = selectedObligation ?? undefined;
@@ -170,6 +203,7 @@ export async function advanceAudit(bundle, options = {}) {
     log.event({
         phase: "advance",
         kind: "executor_end",
+        correlationId,
         obligation: selectedObligation ?? undefined,
         note: selectedExecutor,
         duration_ms: Date.now() - executorStartedAt,
@@ -178,6 +212,7 @@ export async function advanceAudit(bundle, options = {}) {
         log.event({
             phase: "advance",
             kind: "scope",
+            correlationId,
             obligation: selectedObligation ?? undefined,
             note: plannedScope.mode === "delta"
                 ? `delta since ${plannedScope.since}: ${plannedScope.seed_files.length} changed + ${plannedScope.expanded_files.length} neighbors; full audit advised before release`
@@ -188,6 +223,7 @@ export async function advanceAudit(bundle, options = {}) {
         log.event({
             phase: "advance",
             kind: "artifact_write",
+            correlationId,
             obligation: selectedObligation ?? undefined,
             artifact,
         });

package/dist/orchestrator/artifactFreshness.d.ts

@@ -1,4 +1,4 @@
 export declare function stableStringify(value: unknown): string;
 export declare function normalizeForMetadataHash(artifactName: string, value: unknown): unknown;
 export declare function hashArtifactValue(artifactName: string, value: unknown): string;
-export declare function buildReverseDependencyMap(): Record<string, string[]>;
+export declare function buildArtifactDependenciesMap(): Record<string, string[]>;

package/dist/orchestrator/artifactFreshness.js

@@ -42,7 +42,7 @@ export function hashArtifactValue(artifactName, value) {
         .update(stableStringify(normalizeForMetadataHash(artifactName, value)))
         .digest("hex");
 }
-export function buildReverseDependencyMap() {
+export function buildArtifactDependenciesMap() {
     const reverse = {};
     for (const [upstream, downstreamList] of Object.entries(ARTIFACT_DEPENDENTS_MAP)) {
         reverse[upstream] ??= [];

package/dist/orchestrator/artifactMetadata.js

@@ -1,7 +1,7 @@
 import { createHash } from "node:crypto";
 import { getArtifactValue } from "../io/artifacts.js";
-import { buildReverseDependencyMap, hashArtifactValue, stableStringify, } from "./artifactFreshness.js";
-const REVERSE_DEPENDENCY_MAP = buildReverseDependencyMap();
+import { buildArtifactDependenciesMap, hashArtifactValue, stableStringify, } from "./artifactFreshness.js";
+const ARTIFACT_DEPENDENCIES_MAP = buildArtifactDependenciesMap();
 function computeDependencyFirstOrder(artifactNames) {
     const target = new Set(artifactNames);
     const ordered = [];
@@ -13,7 +13,7 @@ function computeDependencyFirstOrder(artifactNames) {
         if (temporary.has(artifactName))
             return;
         temporary.add(artifactName);
-        const dependencies = (REVERSE_DEPENDENCY_MAP[artifactName] ?? [])
+        const dependencies = (ARTIFACT_DEPENDENCIES_MAP[artifactName] ?? [])
             .filter((dependencyName) => target.has(dependencyName))
             .sort();
         for (const dependencyName of dependencies) {
@@ -49,7 +49,7 @@ export function computeArtifactStateSignature(bundle) {
 export function computeArtifactMetadata(bundle, previous, updatedArtifacts = []) {
     const artifacts = {};
     const updated = new Set(updatedArtifacts);
-    const presentArtifacts = Object.keys(REVERSE_DEPENDENCY_MAP).filter((artifactName) => artifactName !== "artifact_metadata.json" &&
+    const presentArtifacts = Object.keys(ARTIFACT_DEPENDENCIES_MAP).filter((artifactName) => artifactName !== "artifact_metadata.json" &&
         present(bundle, artifactName));
     const orderedArtifacts = computeDependencyFirstOrder(presentArtifacts);
     for (const artifactName of orderedArtifacts) {
@@ -64,7 +64,7 @@ export function computeArtifactMetadata(bundle, previous, updatedArtifacts = [])
             continue;
         }
         const contentHash = hashArtifactValue(artifactName, value);
-        const dependencyRevisions = Object.fromEntries((REVERSE_DEPENDENCY_MAP[artifactName] ?? [])
+        const dependencyRevisions = Object.fromEntries((ARTIFACT_DEPENDENCIES_MAP[artifactName] ?? [])
             .filter((dependencyName) => dependencyName !== "artifact_metadata.json")
             .sort()
             .map((dependencyName) => [

package/dist/orchestrator/auditTaskUtils.d.ts

@@ -1,4 +1,8 @@
 import type { AuditTask, Lens } from "../types.js";
+/** Lens ordering for task prioritization, derived from {@link LENS_REGISTRY}
+ * (sorted ascending by `order_weight`). Deriving this from the registry ensures
+ * every lens — including `architecture`, which was previously absent from the
+ * hardcoded array — is automatically included when added to the registry. */
 export declare const LENS_ORDER: Lens[];
 export declare function priorityRank(priority: AuditTask["priority"]): number;
 export declare function sortLenses(lenses: Iterable<Lens>): Lens[];

package/dist/orchestrator/auditTaskUtils.js

@@ -1,15 +1,11 @@
-export const LENS_ORDER = [
-    "security",
-    "correctness",
-    "reliability",
-    "data_integrity",
-    "performance",
-    "operability",
-    "config_deployment",
-    "observability",
-    "maintainability",
-    "tests",
-];
+import { LENS_REGISTRY } from "../types.js";
+/** Lens ordering for task prioritization, derived from {@link LENS_REGISTRY}
+ * (sorted ascending by `order_weight`). Deriving this from the registry ensures
+ * every lens — including `architecture`, which was previously absent from the
+ * hardcoded array — is automatically included when added to the registry. */
+export const LENS_ORDER = [...LENS_REGISTRY]
+    .sort((a, b) => a.order_weight - b.order_weight)
+    .map((d) => d.id);
 export function priorityRank(priority) {
     switch (priority) {
         case "high":