auditor-lambda 0.10.3 → 0.10.7

package/audit-code-wrapper-opencode.mjs

@@ -0,0 +1,256 @@
+export const OPENCODE_AUDIT_EDIT_PERMISSION = {
+  '*': 'ask',
+  '.audit-code/**': 'allow',
+  '.audit-artifacts/**': 'allow',
+  'audit-report.md': 'allow',
+};
+
+export const OPENCODE_AUDIT_EXTERNAL_DIRECTORY_PERMISSION = { '*': 'allow' };
+
+export const OPENCODE_AUDIT_BASH_PERMISSION = {
+  '*': 'allow',
+  'audit-code run-to-completion*': 'deny',
+  'audit-code synthesize*': 'deny',
+  'audit-code cleanup*': 'deny',
+  'audit-code requeue*': 'deny',
+  'audit-code ingest-results*': 'deny',
+  '*dist*index.js* run-to-completion*': 'deny',
+  '*dist*index.js* synthesize*': 'deny',
+  '*dist*index.js* cleanup*': 'deny',
+  '*dist*index.js* requeue*': 'deny',
+  '*dist*index.js* ingest-results*': 'deny',
+  '*audit-code.mjs* run-to-completion*': 'deny',
+  '*audit-code.mjs* synthesize*': 'deny',
+  '*audit-code.mjs* cleanup*': 'deny',
+  '*audit-code.mjs* requeue*': 'deny',
+  '*audit-code.mjs* ingest-results*': 'deny',
+  'audit-code': 'allow',
+  'audit-code ensure*': 'allow',
+  'audit-code next-step*': 'allow',
+  'audit-code prepare-dispatch*': 'allow',
+  'audit-code submit-packet*': 'allow',
+  'audit-code merge-and-ingest*': 'allow',
+  'audit-code validate*': 'allow',
+  '*audit-code.mjs': 'allow',
+  '*audit-code.mjs* ensure*': 'allow',
+  '*audit-code.mjs* next-step*': 'allow',
+  '*audit-code.mjs* prepare-dispatch*': 'allow',
+  '*audit-code.mjs* submit-packet*': 'allow',
+  '*audit-code.mjs* merge-and-ingest*': 'allow',
+  '*audit-code.mjs* worker-run*': 'allow',
+  '*audit-code.mjs* validate*': 'allow',
+  '*node* *auditor-lambda*dist*index.js* worker-run*': 'allow',
+  'git status*': 'allow',
+  'git diff*': 'allow',
+  'grep *': 'allow',
+  'Select-String *': 'allow',
+  'rm *': 'deny',
+};
+
+function externalDirectoryPattern(path) {
+  return `${path.replace(/\\/g, '/').replace(/\/+$/u, '')}/**`;
+}
+
+function renderOpenCodeExternalDirectoryPermission() {
+  return { '*': 'allow' };
+}
+
+export function renderOpenCodePermissionConfig() {
+  return {
+    read: 'allow',
+    glob: 'allow',
+    grep: 'allow',
+    external_directory: renderOpenCodeExternalDirectoryPermission(),
+    edit: { ...OPENCODE_AUDIT_EDIT_PERMISSION },
+    bash: { ...OPENCODE_AUDIT_BASH_PERMISSION },
+  };
+}
+
+export function renderOpenCodeProjectConfig(_root) {
+  const auditPermission = renderOpenCodePermissionConfig();
+  return {
+    $schema: 'https://opencode.ai/config.json',
+    permission: auditPermission,
+    agent: {
+      auditor: {
+        description:
+          'Read-heavy audit orchestration agent for the /audit-code workflow.',
+        permission: {
+          ...auditPermission,
+          'auditor_*': 'allow',
+          question: 'allow',
+          task: 'allow',
+        },
+      },
+    },
+  };
+}
+
+export function objectValue(value) {
+  return value && typeof value === 'object' && !Array.isArray(value)
+    ? value
+    : {};
+}
+
+export function mergeOpenCodePermissionRule(existingRule, generatedRule, managedRules = {}) {
+  if (generatedRule && typeof generatedRule === 'object' && !Array.isArray(generatedRule)) {
+    const generatedObject = generatedRule;
+    const merged = {};
+    const existingObject =
+      existingRule && typeof existingRule === 'object' && !Array.isArray(existingRule)
+        ? existingRule
+        : {};
+
+    if (typeof existingRule === 'string') {
+      merged['*'] = existingRule;
+    } else {
+      merged['*'] = existingObject['*'] ?? generatedObject['*'] ?? 'ask';
+    }
+
+    for (const [key, value] of Object.entries(generatedObject)) {
+      if (key !== '*') merged[key] = value;
+    }
+    for (const [key, value] of Object.entries(existingObject)) {
+      if (key !== '*') merged[key] = value;
+    }
+    for (const [key, value] of Object.entries(managedRules)) {
+      merged[key] = value;
+    }
+
+    return merged;
+  }
+
+  return existingRule ?? generatedRule;
+}
+
+export function mergeOpenCodePermissionConfig(existingPermission, generatedPermission) {
+  if (!existingPermission || typeof existingPermission !== 'object' || Array.isArray(existingPermission)) {
+    return generatedPermission;
+  }
+
+  return {
+    ...generatedPermission,
+    ...existingPermission,
+    read: generatedPermission.read,
+    glob: generatedPermission.glob,
+    grep: generatedPermission.grep,
+    external_directory: mergeOpenCodePermissionRule(
+      existingPermission.external_directory,
+      generatedPermission.external_directory,
+      OPENCODE_AUDIT_EXTERNAL_DIRECTORY_PERMISSION,
+    ),
+    edit: mergeOpenCodePermissionRule(
+      existingPermission.edit,
+      generatedPermission.edit,
+      OPENCODE_AUDIT_EDIT_PERMISSION,
+    ),
+    bash: mergeOpenCodePermissionRule(
+      existingPermission.bash,
+      generatedPermission.bash,
+      OPENCODE_AUDIT_BASH_PERMISSION,
+    ),
+  };
+}
+
+export function removeManagedOpenCodeCommand(commandConfig) {
+  const command = objectValue(commandConfig);
+  const { 'audit-code': _managedAuditCodeCommand, ...remaining } = command;
+  return remaining;
+}
+
+export function assertOpenCodeAuditPermissionConfig(permissionConfig, label) {
+  for (const tool of ['read', 'glob', 'grep']) {
+    if (permissionConfig?.[tool] !== 'allow') {
+      throw new Error(`OpenCode ${label}.${tool} must be allow. Run "audit-code install --host opencode".`);
+    }
+  }
+  const externalDirectory = permissionConfig?.external_directory;
+  if (!externalDirectory || typeof externalDirectory !== 'object' || Array.isArray(externalDirectory)) {
+    throw new Error(`OpenCode ${label}.external_directory must set "*" to "allow". Run "audit-code install --host opencode".`);
+  }
+  if (externalDirectory['*'] !== 'allow') {
+    throw new Error(`OpenCode ${label}.external_directory must set "*" to "allow". Run "audit-code install --host opencode".`);
+  }
+  const edit = permissionConfig?.edit;
+  const bash = permissionConfig?.bash;
+  if (!edit || typeof edit !== 'object' || Array.isArray(edit)) {
+    throw new Error(`OpenCode ${label}.edit must allow audit-owned file paths. Run "audit-code install --host opencode".`);
+  }
+  for (const pattern of ['.audit-code/**', '.audit-artifacts/**', 'audit-report.md']) {
+    if (edit[pattern] !== 'allow') {
+      throw new Error(`OpenCode ${label}.edit must allow ${pattern}. Run "audit-code install --host opencode".`);
+    }
+  }
+  if (!bash || typeof bash !== 'object' || Array.isArray(bash)) {
+    throw new Error(`OpenCode ${label}.bash must allow audit-code commands. Run "audit-code install --host opencode".`);
+  }
+  for (const pattern of [
+    'audit-code',
+    'audit-code ensure*',
+    'audit-code next-step*',
+    'audit-code prepare-dispatch*',
+    'audit-code submit-packet*',
+    'audit-code merge-and-ingest*',
+    '*audit-code.mjs',
+    '*audit-code.mjs* next-step*',
+    '*audit-code.mjs* submit-packet*',
+    '*audit-code.mjs* merge-and-ingest*',
+    '*audit-code.mjs* worker-run*',
+    '*node* *auditor-lambda*dist*index.js* worker-run*',
+  ]) {
+    if (bash[pattern] !== 'allow') {
+      throw new Error(`OpenCode ${label}.bash must allow ${pattern}. Run "audit-code install --host opencode".`);
+    }
+  }
+  for (const pattern of [
+    'audit-code run-to-completion*',
+    'audit-code synthesize*',
+    'audit-code cleanup*',
+    'audit-code requeue*',
+    'audit-code ingest-results*',
+    '*dist*index.js* run-to-completion*',
+    '*dist*index.js* synthesize*',
+    '*dist*index.js* cleanup*',
+    '*dist*index.js* requeue*',
+    '*dist*index.js* ingest-results*',
+    '*audit-code.mjs* run-to-completion*',
+    '*audit-code.mjs* synthesize*',
+    '*audit-code.mjs* cleanup*',
+    '*audit-code.mjs* requeue*',
+    '*audit-code.mjs* ingest-results*',
+  ]) {
+    if (bash[pattern] !== 'deny') {
+      throw new Error(`OpenCode ${label}.bash must deny ${pattern}. Run "audit-code install --host opencode".`);
+    }
+  }
+}
+
+export function buildMergedOpenCodeProjectConfig(existing, root) {
+  const generated = renderOpenCodeProjectConfig(root);
+  const mergedMcp = objectValue(existing.mcp);
+  delete mergedMcp.auditor;
+  return {
+    ...existing,
+    $schema: existing.$schema ?? generated.$schema,
+    command: removeManagedOpenCodeCommand(existing.command),
+    mcp: mergedMcp,
+    permission: {
+      ...mergeOpenCodePermissionConfig(existing.permission, generated.permission),
+      external_directory: { '*': 'allow' },
+    },
+    agent: {
+      ...objectValue(existing.agent),
+      auditor: {
+        ...objectValue(objectValue(existing.agent).auditor),
+        ...generated.agent.auditor,
+        permission: {
+          ...mergeOpenCodePermissionConfig(
+            objectValue(objectValue(existing.agent).auditor).permission,
+            generated.agent.auditor.permission,
+          ),
+          external_directory: { '*': 'allow' },
+        },
+      },
+    },
+  };
+}

package/dispatch/merge-results.mjs

@@ -27,8 +27,8 @@ if (existsSync(tasksPath)) {
     for (const task of tasks) {
       taskMap[task.task_id] = task;
     }
-  } catch {
-    // proceed without task context
+  } catch (e) {
+    process.stderr.write(`[warn] Could not read pending-audit-tasks.json; line-count validation will be skipped: ${e.message}\n`);
   }
 }
 
@@ -69,7 +69,9 @@ if (failing.length > 0) {
   writeFileSync(failedTasksPath, JSON.stringify(failing, null, 2));
   process.stderr.write(`${failing.length} task(s) failed validation and were excluded:\n`);
   for (const f of failing) {
-    process.stderr.write(`  ✗ ${f.task_id}: ${f.errors[0]}\n`);
+    for (const err of f.errors) {
+      process.stderr.write(`  ✗ ${f.task_id}: ${err}\n`);
+    }
   }
 }
 

package/dispatch/validate-result.mjs

@@ -40,8 +40,8 @@ if (existsSync(tasksPath)) {
   try {
     const tasks = JSON.parse(readFileSync(tasksPath, "utf8"));
     task = tasks.find(t => t.task_id === taskId) ?? null;
-  } catch {
-    // proceed without task context
+  } catch (e) {
+    process.stderr.write(`[warn] Could not read pending-audit-tasks.json; line-count validation will be skipped: ${e.message}\n`);
   }
 }
 

package/dist/adapters/coverageSummary.js

@@ -1,11 +1,15 @@
 import { normalizeGenericExternalResults } from "./normalizeExternal.js";
+/** Minimum acceptable line coverage percentage; files below this are flagged. */
+const COVERAGE_THRESHOLD_LOW = 80;
+/** Line coverage percentage below which severity is escalated to "high" (otherwise "medium"). */
+const COVERAGE_SEVERITY_HIGH = 50;
 export function normalizeCoverageSummary(files) {
     return normalizeGenericExternalResults("coverage-summary", files
-        .filter((file) => file.lines_pct < 80)
+        .filter((file) => file.lines_pct < COVERAGE_THRESHOLD_LOW)
         .map((file, index) => ({
         id: `coverage-${index + 1}`,
         category: "tests",
-        severity: file.lines_pct < 50 ? "high" : "medium",
+        severity: file.lines_pct < COVERAGE_SEVERITY_HIGH ? "high" : "medium",
         path: file.path,
         summary: `Low line coverage: ${file.lines_pct}%${typeof file.branches_pct === "number" ? `, branch coverage ${file.branches_pct}%` : ""}.`,
         raw: file,

package/dist/adapters/normalizeExternal.js

@@ -1,3 +1,18 @@
+function normalizeExternalSeverity(value) {
+    switch (value?.toLowerCase()) {
+        case "critical": return "critical";
+        case "error":
+        case "high": return "high";
+        case "warning":
+        case "moderate":
+        case "medium": return "medium";
+        case "low": return "low";
+        case "info":
+        case "note":
+        case "hint": return "info";
+        default: return "info";
+    }
+}
 export function normalizeGenericExternalResults(tool, items) {
     const valid = items.filter((item) => item.path && item.summary);
     const dropped = items.length - valid.length;
@@ -10,7 +25,7 @@ export function normalizeGenericExternalResults(tool, items) {
         results: valid.map((item, index) => ({
             id: item.id ?? `${tool}-${index + 1}`,
             category: item.category ?? "unknown",
-            severity: item.severity ?? "unknown",
+            severity: normalizeExternalSeverity(item.severity),
             path: item.path,
             line_start: item.line_start,
             line_end: item.line_end,

package/dist/adapters/npmAudit.js

@@ -1,12 +1,23 @@
 import { normalizeGenericExternalResults } from "./normalizeExternal.js";
+const NPM_SEVERITY_MAP = {
+    critical: "critical",
+    high: "high",
+    moderate: "medium",
+    medium: "medium",
+    low: "low",
+    info: "info",
+};
 export function normalizeNpmAuditJson(input) {
-    return normalizeGenericExternalResults("npm-audit", Object.entries(input.vulnerabilities ?? {}).map(([pkg, vuln], index) => ({
-        id: `npm-audit-${index}`,
-        category: "dependency_risk",
-        severity: vuln.severity ?? "unknown",
-        path: "package-lock.json",
-        summary: `Package ${pkg} has a ${vuln.severity ?? "unknown"} severity vulnerability in range ${vuln.range ?? "unknown"}.`,
-        rule: pkg,
-        raw: vuln,
-    })));
+    return normalizeGenericExternalResults("npm-audit", Object.entries(input.vulnerabilities ?? {}).map(([pkg, vuln], index) => {
+        const severity = NPM_SEVERITY_MAP[vuln.severity ?? ""] ?? "low";
+        return {
+            id: `npm-audit-${index}`,
+            category: "dependency_risk",
+            severity,
+            path: "package-lock.json",
+            summary: `Package ${pkg} has a ${severity} severity vulnerability in range ${vuln.range ?? "unknown"}.`,
+            rule: pkg,
+            raw: vuln,
+        };
+    }));
 }

package/dist/adapters/semgrep.js

@@ -1,9 +1,34 @@
 import { normalizeGenericExternalResults } from "./normalizeExternal.js";
+/**
+ * Maps semgrep's native uppercase severity strings to the lowercase enum values
+ * required by external_analyzer_results.schema.json. Case-insensitive lookup so
+ * any casing variant is handled uniformly.
+ *
+ * Semgrep → schema:
+ *   CRITICAL → 'critical'
+ *   ERROR    → 'high'
+ *   WARNING  → 'medium'
+ *   INFO     → 'info'
+ *
+ * Any other / undefined value returns undefined so
+ * normalizeGenericExternalResults can apply its own fallback.
+ */
+function normalizeSemgrepSeverity(raw) {
+    if (raw === undefined)
+        return undefined;
+    switch (raw.toUpperCase()) {
+        case "CRITICAL": return "critical";
+        case "ERROR": return "high";
+        case "WARNING": return "medium";
+        case "INFO": return "info";
+        default: return undefined;
+    }
+}
 export function normalizeSemgrepJson(input) {
     return normalizeGenericExternalResults("semgrep", (input.results ?? []).map((result) => ({
         id: result.check_id,
         category: result.extra?.metadata?.category ?? "security",
-        severity: result.extra?.severity,
+        severity: normalizeSemgrepSeverity(result.extra?.severity),
         path: result.path,
         line_start: result.start?.line,
         line_end: result.end?.line,

package/dist/cli/advanceAuditCommand.d.ts

@@ -0,0 +1 @@
+export declare function cmdAdvanceAudit(argv: string[]): Promise<void>;

package/dist/cli/advanceAuditCommand.js

@@ -0,0 +1,95 @@
+import { mkdir } from "node:fs/promises";
+import { promoteFinalAuditReport } from "../io/artifacts.js";
+import { clearDispatchFiles, ensureSupervisorDirs } from "../io/runArtifacts.js";
+import { loadSessionConfig } from "../supervisor/sessionConfig.js";
+import { resolveRunProviderName, getArtifactsDir, getRootDir, warnIfNotGitRepo, getBatchResultsDir, getFlag } from "./args.js";
+import { runAuditStep, ingestBatchAuditResults } from "./auditStep.js";
+import { emitEnvelope } from "./envelope.js";
+import { persistConfigErrorHandoff } from "./reviewRun.js";
+import { cleanupStaleArtifactsDir } from "./cleanup.js";
+export async function cmdAdvanceAudit(argv) {
+    const root = getRootDir(argv);
+    warnIfNotGitRepo(root);
+    const artifactsDir = getArtifactsDir(argv);
+    await cleanupStaleArtifactsDir(artifactsDir);
+    await mkdir(artifactsDir, { recursive: true });
+    await ensureSupervisorDirs(artifactsDir);
+    let sessionConfig;
+    try {
+        sessionConfig = await loadSessionConfig(artifactsDir);
+    }
+    catch (error) {
+        await persistConfigErrorHandoff({
+            root,
+            artifactsDir,
+            progressSummary: error instanceof Error ? error.message : String(error),
+        });
+        throw error;
+    }
+    const providerName = resolveRunProviderName(argv, sessionConfig);
+    const batchResultsDir = getBatchResultsDir(argv);
+    if (batchResultsDir && getFlag(argv, "--results")) {
+        throw new Error("Use either --results <file> or --batch-results <dir>, not both.");
+    }
+    if (batchResultsDir) {
+        const result = await ingestBatchAuditResults({
+            root,
+            artifactsDir,
+            batchDir: batchResultsDir,
+        });
+        if (result.selected_executor !== "agent") {
+            await clearDispatchFiles(artifactsDir);
+        }
+        await emitEnvelope({
+            root,
+            artifactsDir,
+            bundle: result.bundle,
+            audit_state: result.audit_state,
+            selected_obligation: result.selected_obligation,
+            selected_executor: result.selected_executor,
+            progress_made: result.progress_made,
+            artifacts_written: result.artifacts_written,
+            progress_summary: result.progress_summary,
+            next_likely_step: result.next_likely_step,
+            providerName,
+        });
+        if (result.audit_state.status === "complete") {
+            await promoteFinalAuditReport({ artifactsDir, repoRoot: root });
+        }
+        return;
+    }
+    const externalAnalyzerPath = getFlag(argv, "--external-analyzer-results");
+    const result = await runAuditStep({
+        root,
+        artifactsDir,
+        preferredExecutor: getFlag(argv, "--preferred-executor") ??
+            (externalAnalyzerPath ? "external_analyzer_import_executor" : undefined),
+        auditResultsPath: getFlag(argv, "--results"),
+        runtimeUpdatesPath: getFlag(argv, "--updates"),
+        externalAnalyzerPath,
+        analyzers: sessionConfig.analyzers,
+        graphLlmEdgeReasoning: sessionConfig.graph?.llm_edge_reasoning,
+        since: getFlag(argv, "--since"),
+        opentoken: sessionConfig.opentoken?.enabled,
+        runLog: sessionConfig.observability?.run_log,
+    });
+    if (result.selected_executor !== "agent") {
+        await clearDispatchFiles(artifactsDir);
+    }
+    await emitEnvelope({
+        root,
+        artifactsDir,
+        bundle: result.updated_bundle,
+        audit_state: result.audit_state,
+        selected_obligation: result.selected_obligation,
+        selected_executor: result.selected_executor,
+        progress_made: result.progress_made,
+        artifacts_written: result.artifacts_written,
+        progress_summary: result.progress_summary,
+        next_likely_step: result.next_likely_step,
+        providerName,
+    });
+    if (result.audit_state.status === "complete") {
+        await promoteFinalAuditReport({ artifactsDir, repoRoot: root });
+    }
+}

package/dist/cli/args.js

@@ -1,5 +1,4 @@
-import { existsSync } from "node:fs";
-import { createReadStream } from "node:fs";
+import { existsSync, createReadStream } from "node:fs";
 import { readdir } from "node:fs/promises";
 import { Buffer } from "node:buffer";
 import { createHash } from "node:crypto";

package/dist/cli/auditStep.js

@@ -1,6 +1,6 @@
 import { rename } from "node:fs/promises";
 import { basename, dirname, join } from "node:path";
-import { readJsonFile, RunLogger } from "@audit-tools/shared";
+import { readJsonFile, RunLogger, withFsRetry } from "@audit-tools/shared";
 import { loadArtifactBundle, writeCoreArtifacts, } from "../io/artifacts.js";
 import { advanceAudit } from "../orchestrator/advance.js";
 import { deriveAuditState } from "../orchestrator/state.js";
@@ -16,7 +16,7 @@ async function maybeArchiveLegacyPendingResults(auditResultsPath) {
     }
     const archivedPath = join(dirname(auditResultsPath), `worker_results_submitted_${new Date().toISOString().replace(/[:.]/g, "-")}.json`);
     try {
-        await rename(auditResultsPath, archivedPath);
+        await withFsRetry(() => rename(auditResultsPath, archivedPath));
         return archivedPath;
     }
     catch (error) {

package/dist/cli/cleanup.d.ts

@@ -1 +1,11 @@
-export declare function cleanupStaleArtifactsDir(artifactsDir: string): Promise<void>;
+import type { AuditState } from "../types/auditState.js";
+export type CleanupOptions = {
+    force?: boolean;
+    dryRun?: boolean;
+};
+export type CleanupResult = {
+    action: "deleted" | "skipped" | "dry-run";
+    status: AuditState["status"] | "unknown";
+    reason?: string;
+};
+export declare function cleanupStaleArtifactsDir(artifactsDir: string, options?: CleanupOptions): Promise<CleanupResult>;

package/dist/cli/cleanup.js

@@ -5,8 +5,14 @@ import { isFileMissingError, readJsonFile } from "@audit-tools/shared";
 // run completed or never started, its artifacts are safe to clear. A missing
 // state file means there is nothing to clean. Shared by run-to-completion
 // (clears before a fresh loop) and the cleanup command.
-export async function cleanupStaleArtifactsDir(artifactsDir) {
-    let status;
+//
+// With options:
+//   force=true  — delete even when status is active/blocked or state file is missing.
+//   dryRun=true — skip the actual rm call and return action='dry-run'.
+// Both default to false; the no-args call from run-to-completion is unchanged.
+export async function cleanupStaleArtifactsDir(artifactsDir, options = {}) {
+    const { force = false, dryRun = false } = options;
+    let status = "unknown";
     try {
         const state = await readJsonFile(join(artifactsDir, "audit_state.json"));
         status = state.status;
@@ -15,9 +21,23 @@ export async function cleanupStaleArtifactsDir(artifactsDir) {
         if (!isFileMissingError(error)) {
             throw error;
         }
-        return;
+        // State file missing — status stays "unknown".
     }
-    if (status === "complete" || status === "not_started") {
-        await rm(artifactsDir, { recursive: true, force: true });
+    const eligibleWithoutForce = status === "complete" || status === "not_started";
+    const resumable = status === "active" || status === "blocked";
+    if (!eligibleWithoutForce && !force) {
+        // active/blocked — caller may want to resume; skip unless forced
+        if (resumable) {
+            const reason = `audit is ${status} and may be resumed — use --force to delete anyway`;
+            return { action: "skipped", status, reason };
+        }
+        // unknown (missing state file) — no-op by default; caller decides how to
+        // surface this (run-to-completion ignores it; cleanup command sets exitCode=1)
+        return { action: "skipped", status: "unknown" };
+    }
+    if (dryRun) {
+        return { action: "dry-run", status };
     }
+    await rm(artifactsDir, { recursive: true, force: true });
+    return { action: "deleted", status };
 }

package/dist/cli/cleanupCommand.d.ts

@@ -0,0 +1 @@
+export declare function cmdCleanup(argv: string[]): Promise<void>;

package/dist/cli/cleanupCommand.js

@@ -0,0 +1,24 @@
+import { getArtifactsDir, hasFlag } from "./args.js";
+import { cleanupStaleArtifactsDir } from "./cleanup.js";
+export async function cmdCleanup(argv) {
+    const artifactsDir = getArtifactsDir(argv);
+    const dryRun = hasFlag(argv, "--dry-run");
+    const force = hasFlag(argv, "--force");
+    const result = await cleanupStaleArtifactsDir(artifactsDir, { force, dryRun });
+    if (result.action === "skipped") {
+        console.log(JSON.stringify({
+            artifacts_dir: artifactsDir,
+            action: "skipped",
+            reason: result.reason ?? "no audit_state.json found; artifacts may be from a crashed audit — use --force to delete anyway",
+            dry_run: dryRun,
+        }, null, 2));
+        process.exitCode = 1;
+        return;
+    }
+    console.log(JSON.stringify({
+        artifacts_dir: artifactsDir,
+        action: result.action,
+        status: result.status,
+        dry_run: dryRun,
+    }, null, 2));
+}