auditor-lambda 0.10.7 → 0.11.0

package/README.md

@@ -212,11 +212,16 @@ Optional backend config:
 
 ```bash
 npm install
+npm run test:single -- tests/next-step.test.mjs
 npm run verify:release
 npm run release:patch
 npm run release:patch:publish
 ```
 
+When developing from a fresh clone or git worktree, run repo-root `npm install`
+before package checks. Missing workspace links can look like stale
+`@audit-tools/shared` export or type errors.
+
 For GitHub Actions publication and npm Trusted Publishing setup, see `docs/release.md`.
 
 ## Key Docs

package/audit-code-wrapper-install-hosts.mjs

@@ -720,7 +720,7 @@ export async function installBootstrap(argv, options = {}) {
   );
   results.push(await writeGeneratedJson(installManifestPath, installManifest));
 
-  const sessionConfigPath = join(root, '.audit-artifacts', 'session-config.json');
+  const sessionConfigPath = join(root, '.audit-tools', 'audit', 'session-config.json');
   if (!(await fileExists(sessionConfigPath))) {
     const defaultConfig = { provider: 'local-subprocess' };
     await mkdir(dirname(sessionConfigPath), { recursive: true });

package/audit-code-wrapper-lib.mjs

@@ -123,7 +123,7 @@ function printHelp({ usageName, preferredEntrypoint }) {
     '- verify-install smoke-tests the generated host assets after install',
     '- mcp starts the local stdio MCP server for repo-local IDE integrations',
     '- install-host --host copilot keeps the narrower Copilot-focused install path available',
-    '- next-step advances deterministic audit state and writes .audit-artifacts/steps/current-step.json plus current-prompt.md',
+    '- next-step advances deterministic audit state and writes .audit-tools/audit/steps/current-step.json plus current-prompt.md',
     '- validate checks the current artifact bundle plus session-config/provider readiness and exits non-zero when issues exist',
     '- validate-results --results FILE validates AuditResult payloads against the active task manifest without ingesting them',
     '- explain-task <task_id> prints the resolved file coverage and current status for a task id',
@@ -141,7 +141,7 @@ function printHelp({ usageName, preferredEntrypoint }) {
     '',
     'Defaults:',
     '- --root .',
-    '- --artifacts-dir <root>/.audit-artifacts',
+    '- --artifacts-dir <root>/.audit-tools/audit',
     '',
     'Completion signals:',
     '- done: audit_state.status is complete',
@@ -166,7 +166,7 @@ async function printPromptPath() {
 async function runDistCommand(commandName, argv, { ensureArtifactsDir = false } = {}) {
   const commandArgs = [...argv];
   const rootValue = resolve(getFlag(commandArgs, '--root') ?? '.');
-  const artifactsDir = resolve(getFlag(commandArgs, '--artifacts-dir') ?? join(rootValue, '.audit-artifacts'));
+  const artifactsDir = resolve(getFlag(commandArgs, '--artifacts-dir') ?? join(rootValue, '.audit-tools', 'audit'));
 
   setDefaultFlag(commandArgs, '--root', rootValue);
   setDefaultFlag(commandArgs, '--artifacts-dir', artifactsDir);
@@ -184,7 +184,7 @@ async function runDistCommand(commandName, argv, { ensureArtifactsDir = false }
 async function runDistCommandInline(commandName, argv) {
   const commandArgs = [...argv];
   const rootValue = resolve(getFlag(commandArgs, '--root') ?? '.');
-  const artifactsDir = resolve(getFlag(commandArgs, '--artifacts-dir') ?? join(rootValue, '.audit-artifacts'));
+  const artifactsDir = resolve(getFlag(commandArgs, '--artifacts-dir') ?? join(rootValue, '.audit-tools', 'audit'));
 
   setDefaultFlag(commandArgs, '--root', rootValue);
   setDefaultFlag(commandArgs, '--artifacts-dir', artifactsDir);
@@ -305,7 +305,7 @@ export async function runAuditCodeWrapper({
     wrapperArgs.push('--single-step');
   }
   const rootValue = resolve(getFlag(wrapperArgs, '--root') ?? '.');
-  const artifactsDir = resolve(getFlag(wrapperArgs, '--artifacts-dir') ?? join(rootValue, '.audit-artifacts'));
+  const artifactsDir = resolve(getFlag(wrapperArgs, '--artifacts-dir') ?? join(rootValue, '.audit-tools', 'audit'));
 
   setDefaultFlag(wrapperArgs, '--root', rootValue);
   setDefaultFlag(wrapperArgs, '--artifacts-dir', artifactsDir);

package/audit-code-wrapper-opencode.mjs

@@ -1,8 +1,7 @@
 export const OPENCODE_AUDIT_EDIT_PERMISSION = {
   '*': 'ask',
   '.audit-code/**': 'allow',
-  '.audit-artifacts/**': 'allow',
-  'audit-report.md': 'allow',
+  '.audit-tools/**': 'allow',
 };
 
 export const OPENCODE_AUDIT_EXTERNAL_DIRECTORY_PERMISSION = { '*': 'allow' };
@@ -176,7 +175,7 @@ export function assertOpenCodeAuditPermissionConfig(permissionConfig, label) {
   if (!edit || typeof edit !== 'object' || Array.isArray(edit)) {
     throw new Error(`OpenCode ${label}.edit must allow audit-owned file paths. Run "audit-code install --host opencode".`);
   }
-  for (const pattern of ['.audit-code/**', '.audit-artifacts/**', 'audit-report.md']) {
+  for (const pattern of ['.audit-code/**', '.audit-tools/**']) {
     if (edit[pattern] !== 'allow') {
       throw new Error(`OpenCode ${label}.edit must allow ${pattern}. Run "audit-code install --host opencode".`);
     }

package/dist/cli/advanceAuditCommand.js

@@ -54,7 +54,7 @@ export async function cmdAdvanceAudit(argv) {
             providerName,
         });
         if (result.audit_state.status === "complete") {
-            await promoteFinalAuditReport({ artifactsDir, repoRoot: root });
+            await promoteFinalAuditReport({ artifactsDir });
         }
         return;
     }
@@ -90,6 +90,6 @@ export async function cmdAdvanceAudit(argv) {
         providerName,
     });
     if (result.audit_state.status === "complete") {
-        await promoteFinalAuditReport({ artifactsDir, repoRoot: root });
+        await promoteFinalAuditReport({ artifactsDir });
     }
 }

package/dist/cli/args.d.ts

@@ -1,4 +1,4 @@
-import type { SessionConfig } from "@audit-tools/shared";
+import { toPromptPathToken, quotePromptCommandArg, type SessionConfig } from "@audit-tools/shared";
 export type UiMode = "visible" | "headless";
 export declare const DIRECT_CLI_DEFAULTS: {
     rootDir: string;
@@ -23,7 +23,7 @@ export declare function fromBase64Url(value: string): string;
 export declare function digestId(value: string): string;
 export declare function safeArtifactStem(value: string): string;
 export declare function artifactNameForId(value: string, extension: string): string;
-export declare function quoteCommandArg(value: string): string;
+export declare const quoteCommandArg: typeof quotePromptCommandArg;
 /**
  * Normalize a generated command token to POSIX path separators. These command
  * strings are embedded in step prompts and `allowed_commands` and run by the
@@ -34,7 +34,7 @@ export declare function quoteCommandArg(value: string): string;
  * are touched, and no non-path argument in this CLI contains one, so this is a
  * targeted normalization rather than a blanket rewrite.
  */
-export declare function toPosixCommandToken(value: string): string;
+export declare const toPosixCommandToken: typeof toPromptPathToken;
 export declare function renderCommand(argv: string[]): string;
 export declare function summarizeLaunchExit(result: {
     accepted?: boolean;

package/dist/cli/args.js

@@ -3,10 +3,11 @@ import { readdir } from "node:fs/promises";
 import { Buffer } from "node:buffer";
 import { createHash } from "node:crypto";
 import { join, resolve } from "node:path";
+import { renderPromptCommand, toPromptPathToken, quotePromptCommandArg, } from "@audit-tools/shared";
 import { resolveFreshSessionProviderName } from "../providers/index.js";
 export const DIRECT_CLI_DEFAULTS = {
     rootDir: ".",
-    artifactsDir: ".artifacts",
+    artifactsDir: ".audit-tools/audit",
     maxRuns: 1000,
     agentBatchSize: 6,
     parallelWorkers: 1,
@@ -76,9 +77,7 @@ export function safeArtifactStem(value) {
 export function artifactNameForId(value, extension) {
     return `${safeArtifactStem(value)}_${digestId(value)}.${extension}`;
 }
-export function quoteCommandArg(value) {
-    return /[\s"]/u.test(value) ? `"${value.replace(/"/g, '\\"')}"` : value;
-}
+export const quoteCommandArg = quotePromptCommandArg;
 /**
  * Normalize a generated command token to POSIX path separators. These command
  * strings are embedded in step prompts and `allowed_commands` and run by the
@@ -89,11 +88,9 @@ export function quoteCommandArg(value) {
  * are touched, and no non-path argument in this CLI contains one, so this is a
  * targeted normalization rather than a blanket rewrite.
  */
-export function toPosixCommandToken(value) {
-    return value.includes("\\") ? value.replace(/\\/g, "/") : value;
-}
+export const toPosixCommandToken = toPromptPathToken;
 export function renderCommand(argv) {
-    return argv.map((item) => quoteCommandArg(toPosixCommandToken(item))).join(" ");
+    return renderPromptCommand(argv);
 }
 export function summarizeLaunchExit(result) {
     if (result.accepted !== false && !result.error) {

package/dist/cli/dispatch.d.ts

@@ -123,6 +123,7 @@ export declare function buildPacketPrompt(params: {
     largeFileSection: string[];
     taskSections: string[];
     submitCommand: string;
+    repoRoot?: string;
 }): string;
 /**
  * Extracts the context-budget warning loop.

package/dist/cli/dispatch.js

@@ -10,7 +10,7 @@ import { orderTasksForPacketReview, buildReviewPackets, sizeIndexFromManifest, }
 import { buildFileAnchorSummary } from "../orchestrator/fileAnchors.js";
 import { resolveFreshSessionProviderName } from "../providers/index.js";
 import { loadSessionConfig } from "../supervisor/sessionConfig.js";
-import { computeDispatchCapacity, buildProviderModelKey, resolveHostModel, readQuotaState, resolveHostActiveSubagentLimit, lookupDiscoveredLimits, mergeDiscoveredLimits, } from "../quota/index.js";
+import { computeDispatchCapacity, buildProviderModelKey, resolveHostModel, readQuotaState, resolveHostActiveSubagentLimit, lookupDiscoveredLimits, mergeDiscoveredLimits, summarizeDispatchCapacityPools, } from "../quota/index.js";
 import { taskResultPath, packetPromptPath, artifactNameForId, toBase64Url, fromBase64Url, getFlag, } from "./args.js";
 export const LARGE_FILE_PACKET_TARGET_LINES = 2500;
 export const SMALL_MODEL_HINT_MAX_LINES = 500;
@@ -303,10 +303,12 @@ export function buildTaskSections(packetTasks, lensDefs, lineIndex) {
  * Wraps the 75-line array-join block and returns the assembled prompt string.
  */
 export function buildPacketPrompt(params) {
-    const { packet, fileList, largeFileSection, taskSections, submitCommand } = params;
+    const { packet, fileList, largeFileSection, taskSections, submitCommand, repoRoot } = params;
     const largeFileMode = isIsolatedLargeFilePacket(packet);
     return [
         "You are a code auditor. Review this packet once, then submit exactly one result per listed task.",
+        repoRoot ? `Repository root: ${repoRoot}` : "Repository root: use the root from the step contract.",
+        "Set the shell/tool workdir to the repository root when running backend commands.",
         "",
         "## Packet",
         `packet_id: ${packet.packet_id}`,
@@ -316,8 +318,8 @@ export function buildPacketPrompt(params) {
         "",
         "## Files to read",
         largeFileMode
-            ? "Use targeted Read/Grep calls. Paths are repo-relative from the current working directory."
-            : "Use your Read tool. Paths are repo-relative from the current working directory.",
+            ? "Use targeted Read/Grep calls. Paths are repo-relative to the repository root above."
+            : "Use your Read tool. Paths are repo-relative to the repository root above.",
         "Use host Read and Grep tools for source inspection. Do not use shell search commands.",
         fileList,
         "",
@@ -331,6 +333,8 @@ export function buildPacketPrompt(params) {
         "packet-*-result.json / audit_result_*.json) — the submit-packet command below is the only",
         "way to record results, and it writes them inside the artifacts directory for you.",
         "Produce one JSON array containing exactly one AuditResult object for each listed task.",
+        "Windows PowerShell: do not pipe an inline foreach statement directly into ConvertTo-Json.",
+        "Assign the foreach output to a variable first, then pipe that variable to ConvertTo-Json.",
         "",
         "Schema file (resolve relative to this prompt's directory): audit_result.schema.json",
         "  $refs resolved from the same directory: finding.schema.json, audit_task.schema.json",
@@ -437,6 +441,8 @@ async function computeDispatchQuota(params) {
         wave_size: dispatchCapacity.total_slots,
         estimated_wave_tokens: dispatchCapacity.estimated_wave_tokens,
         cooldown_until: dispatchCapacity.cooldown_until,
+        binding_cap: dispatchCapacity.binding_cap,
+        capacity_pools: summarizeDispatchCapacityPools(dispatchCapacity),
         quota_source_snapshot: waveSchedule.quota_source_snapshot ?? null,
         backoff_state: null,
     };
@@ -633,8 +639,11 @@ export async function prepareDispatchArtifacts(params) {
                 result_path: resultPathByTaskId.get(task.task_id),
             });
         }
-        const prompt = buildPacketPrompt({ packet, packetTasks, fileList, largeFileSection, taskSections, submitCommand });
+        const prompt = buildPacketPrompt({ packet, packetTasks, fileList, largeFileSection, taskSections, submitCommand, repoRoot: reviewRoot });
         await writeFile(promptPath, prompt, "utf8");
+        const packetWritePaths = packetTasks
+            .map((task) => resultPathByTaskId.get(task.task_id))
+            .filter((p) => p !== undefined);
         plan.push({
             packet_id: packet.packet_id,
             description: `Audit ${packet.file_paths.length} file(s), ${packet.task_ids.length} task(s), ${packet.lenses.length} lens(es) (~${packet.total_lines} lines)` +
@@ -642,6 +651,16 @@ export async function prepareDispatchArtifacts(params) {
             prompt_path: promptPath,
             complexity,
             model_hint: buildDispatchModelHint(complexity),
+            access: {
+                read_paths: [
+                    promptPath,
+                    ...(reviewRoot
+                        ? packet.file_paths.map((p) => join(reviewRoot, p))
+                        : packet.file_paths),
+                ],
+                write_paths: packetWritePaths,
+                forbidden_patterns: ["packet-*-result.json", "audit_result_*.json"],
+            },
         });
     }
     await writeJsonFile(dispatchPlanPath, plan);

package/dist/cli/nextStepCommand.js

@@ -1,5 +1,5 @@
 import { mkdir, unlink, writeFile } from "node:fs/promises";
-import { join, resolve } from "node:path";
+import { dirname, join, resolve } from "node:path";
 import { isFileMissingError, readJsonFile, writeJsonFile, } from "@audit-tools/shared";
 import { loadArtifactBundle, promoteFinalAuditReport, writeCoreArtifacts, AUDIT_REPORT_FILENAME, } from "../io/artifacts.js";
 import { advanceAudit } from "../orchestrator/advance.js";
@@ -71,14 +71,13 @@ export async function buildTerminalStep(params, bundle, state, blockedReason) {
     }
     const promoted = await promoteFinalAuditReport({
         artifactsDir: params.artifactsDir,
-        repoRoot: params.root,
     });
     return {
         kind: "complete",
         state,
         bundle,
         finalReportPath: promoted.promoted
-            ? join(params.root, AUDIT_REPORT_FILENAME)
+            ? join(dirname(params.artifactsDir), AUDIT_REPORT_FILENAME)
             : join(params.artifactsDir, AUDIT_REPORT_FILENAME),
     };
 }
@@ -293,7 +292,6 @@ async function runDeterministicForNextStep(params) {
             });
             const promoted = await promoteFinalAuditReport({
                 artifactsDir: params.artifactsDir,
-                repoRoot: params.root,
             });
             return {
                 kind: "complete",

package/dist/cli/prompts.js

@@ -1,4 +1,4 @@
-import { DO_NOT_TOKEN_WRAP_NOTE } from "@audit-tools/shared";
+import { DO_NOT_TOKEN_WRAP_NOTE, DISPATCH_PROMPT_HANDOFF_NOTE } from "@audit-tools/shared";
 import { renderCommand } from "./args.js";
 /**
  * Token prefix the host should use to re-invoke the backend in generated
@@ -93,7 +93,7 @@ export function renderDispatchReviewPrompt(params) {
         ...dispatchDataLines,
         ...canaryLines,
         "",
-        "Pass each `entry.prompt_path` literally to its subagent; do not load packet prompt files into this orchestrator context.",
+        DISPATCH_PROMPT_HANDOFF_NOTE,
         "",
         "Subagent prompt shape:",
         "",
@@ -104,7 +104,7 @@ export function renderDispatchReviewPrompt(params) {
         "",
         "Each subagent must submit its packet through the submit command printed in its packet prompt and stop after successful submission.",
         "",
-        "**File access pre-approval:** Each dispatch plan entry includes an `access` object with `read_paths` and `write_paths`. If your host supports per-subagent file access restrictions, pre-approve those paths before launching each subagent. Workers should not access files outside their declared paths.",
+        "**File access pre-approval:** Each dispatch plan entry includes an `access` object with `read_paths`, `write_paths`, and `forbidden_patterns`. If your host supports per-subagent file access restrictions, pre-approve exactly `entry.access.read_paths` and `entry.access.write_paths` for each subagent. Do not grant broad workspace or task-results directory write access. Workers should not access files outside their declared paths.",
         "",
         "**After all waves complete:**",
         "",
@@ -172,10 +172,11 @@ export function renderEdgeReasoningDispatchPrompt(params) {
         "optional pass: it only rewrites the `reason` string of those edges — it never",
         "adds, removes, re-targets, or re-weights an edge.",
         "",
-        "Dispatch exactly ONE subagent (via the `task` tool or equivalent). Hand it this",
-        "prompt file path; do not load the file into this orchestrator context:",
+        "Dispatch exactly ONE subagent (via the `task` tool or equivalent).",
         "",
-        `  ${params.promptPath}`,
+        DISPATCH_PROMPT_HANDOFF_NOTE,
+        "",
+        `  Prompt path: ${params.promptPath}`,
         "",
         "Subagent prompt shape:",
         "",

package/dist/cli/resynthesizeCommand.d.ts

@@ -0,0 +1 @@
+export declare function cmdResynthesize(argv: string[]): Promise<void>;

package/dist/cli/resynthesizeCommand.js

@@ -0,0 +1,50 @@
+import { join } from "node:path";
+import { existsSync } from "node:fs";
+import { readFile, writeFile, mkdir } from "node:fs/promises";
+import { getRootDir } from "./args.js";
+import { normalizeExistingFindingsReport, renderAuditReportMarkdown, } from "../reporting/synthesis.js";
+const AUDIT_TOOLS_DIR = ".audit-tools";
+const FINDINGS_FILENAME = "audit-findings.json";
+const REPORT_FILENAME = "audit-report.md";
+function getFlagValue(argv, flag) {
+    const idx = argv.indexOf(flag);
+    return idx >= 0 && idx + 1 < argv.length ? argv[idx + 1] : undefined;
+}
+export async function cmdResynthesize(argv) {
+    const root = getRootDir(argv);
+    const auditToolsDir = join(root, AUDIT_TOOLS_DIR);
+    const defaultInput = join(auditToolsDir, FINDINGS_FILENAME);
+    const inputPath = getFlagValue(argv, "--input") ?? defaultInput;
+    if (!existsSync(inputPath)) {
+        console.error(`resynthesize: ${FINDINGS_FILENAME} not found at ${inputPath}. ` +
+            `Run the full audit first, or supply --input <path>.`);
+        process.exitCode = 1;
+        return;
+    }
+    const raw = await readFile(inputPath, "utf8");
+    let report;
+    try {
+        report = JSON.parse(raw);
+    }
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        console.error(`resynthesize: could not parse ${inputPath}: ${msg}`);
+        process.exitCode = 1;
+        return;
+    }
+    const normalized = normalizeExistingFindingsReport(report);
+    const markdown = renderAuditReportMarkdown(normalized);
+    await mkdir(auditToolsDir, { recursive: true });
+    const outputFindingsPath = join(auditToolsDir, FINDINGS_FILENAME);
+    const outputReportPath = join(auditToolsDir, REPORT_FILENAME);
+    await writeFile(outputFindingsPath, JSON.stringify(normalized, null, 2), "utf8");
+    await writeFile(outputReportPath, markdown, "utf8");
+    console.log(JSON.stringify({
+        source: inputPath,
+        findings_output: outputFindingsPath,
+        report_output: outputReportPath,
+        finding_count: normalized.summary.finding_count,
+        work_block_count: normalized.summary.work_block_count,
+        contract_version: normalized.contract_version,
+    }, null, 2));
+}

package/dist/cli/runToCompletion.js

@@ -671,7 +671,7 @@ async function handleNoExecutor(params) {
         providerName,
     });
     if (state.status === "complete") {
-        await promoteFinalAuditReport({ artifactsDir, repoRoot: root });
+        await promoteFinalAuditReport({ artifactsDir });
     }
 }
 async function runParallelWaveStep(params) {
@@ -869,7 +869,7 @@ async function handleMaxRunsReached(params) {
         providerName,
     });
     if (reportRendered) {
-        await promoteFinalAuditReport({ artifactsDir, repoRoot: root });
+        await promoteFinalAuditReport({ artifactsDir });
     }
 }
 export async function cmdRunToCompletion(argv) {

package/dist/cli.js

@@ -23,6 +23,7 @@ import { cmdValidate } from "./cli/validateCommand.js";
 import { cmdValidateResults } from "./cli/validateResultsCommand.js";
 import { cmdRequeue } from "./cli/requeueCommand.js";
 import { cmdSynthesize } from "./cli/synthesizeCommand.js";
+import { cmdResynthesize } from "./cli/resynthesizeCommand.js";
 import { cmdCleanup } from "./cli/cleanupCommand.js";
 import { cmdQuota } from "./cli/quotaCommand.js";
 import { cmdDispatchStatus } from "./cli/dispatchStatusCommand.js";
@@ -93,6 +94,9 @@ async function main(argv) {
         case "synthesize":
             await cmdSynthesize(argv);
             return;
+        case "resynthesize":
+            await cmdResynthesize(argv);
+            return;
         case "cleanup":
             await cmdCleanup(argv);
             return;
@@ -119,7 +123,7 @@ async function main(argv) {
             return;
         default:
             console.error(`Unknown command: ${command}`);
-            console.error("Available commands: sample-run, advance-audit, next-step, run-to-completion, worker-run, import-external-analyzer, intake, plan, ingest-results, explain-task, update-runtime-validation, validate, validate-results, requeue, synthesize, cleanup, prepare-dispatch, merge-and-ingest, submit-packet, validate-result, quota, status, dispatch-status");
+            console.error("Available commands: sample-run, advance-audit, next-step, run-to-completion, worker-run, import-external-analyzer, intake, plan, ingest-results, explain-task, update-runtime-validation, validate, validate-results, requeue, synthesize, resynthesize, cleanup, prepare-dispatch, merge-and-ingest, submit-packet, validate-result, quota, status, dispatch-status");
             process.exitCode = 1;
     }
 }

package/dist/extractors/fsIntake.js

@@ -10,7 +10,7 @@ const DEFAULT_IGNORES = [
     ".next",
     ".turbo",
     ".artifacts",
-    ".audit-artifacts",
+    ".audit-tools",
     ".audit-code/install",
     ".agent",
     ".claude",

package/dist/extractors/pathPatterns.js

@@ -204,7 +204,7 @@ export function isGeneratedTestArtifactPath(normalized) {
     return splitSegments(normalized).some((segment) => segment.startsWith(".test-") && segment.endsWith("-artifacts"));
 }
 export function isAuditArtifactPath(normalized) {
-    return hasSegment(normalized, ".audit-artifacts");
+    return hasSegment(normalized, ".audit-tools");
 }
 export function isTestPath(normalized) {
     const segments = splitSegments(normalized);

package/dist/io/artifacts.d.ts

@@ -2,7 +2,7 @@ import { cp, rm } from "node:fs/promises";
 import type { AuditResult, AuditTask, CoverageMatrix, RepoManifest, UnitManifest } from "../types.js";
 import type { AuditState } from "../types/auditState.js";
 import type { ArtifactMetadataManifest } from "../types/artifactMetadata.js";
-import type { AuditFindingsReport, FileDisposition, CriticalFlowManifest, GraphBundle, RiskRegister, SurfaceManifest } from "@audit-tools/shared";
+import type { AuditFindingsReport, FileDisposition, CriticalFlowManifest, GraphBundle, RiskRegister, SurfaceManifest, IntentCheckpoint } from "@audit-tools/shared";
 import type { SynthesisNarrativeRecord } from "../types/synthesisNarrative.js";
 import type { ExternalAnalyzerResults } from "../types/externalAnalyzer.js";
 import type { FlowCoverageManifest } from "../types/flowCoverage.js";
@@ -17,6 +17,7 @@ type ArtifactPayloadMap = {
     repo_manifest: RepoManifest;
     file_disposition: FileDisposition;
     auto_fixes_applied: unknown;
+    intent_checkpoint: IntentCheckpoint;
     unit_manifest: UnitManifest;
     graph_bundle: GraphBundle;
     surface_manifest: SurfaceManifest;
@@ -68,6 +69,7 @@ export declare const ARTIFACT_DEFINITIONS: {
     readonly repo_manifest: ArtifactDefinition<"repo_manifest">;
     readonly file_disposition: ArtifactDefinition<"file_disposition">;
     readonly auto_fixes_applied: ArtifactDefinition<"auto_fixes_applied">;
+    readonly intent_checkpoint: ArtifactDefinition<"intent_checkpoint">;
     readonly unit_manifest: ArtifactDefinition<"unit_manifest">;
     readonly graph_bundle: ArtifactDefinition<"graph_bundle">;
     readonly surface_manifest: ArtifactDefinition<"surface_manifest">;
@@ -103,7 +105,6 @@ export declare function writeCoreArtifacts(root: string, bundle: ArtifactBundle,
 export declare function cleanupIntermediateArtifacts(root: string): Promise<string[]>;
 export declare function promoteFinalAuditReport(params: {
     artifactsDir: string;
-    repoRoot: string;
 }, options?: {
     copy?: typeof cp;
     remove?: typeof rm;

package/dist/io/artifacts.js

@@ -1,5 +1,5 @@
 import { cp, rm, unlink } from "node:fs/promises";
-import { join } from "node:path";
+import { dirname, join } from "node:path";
 import { isFileMissingError, readOptionalJsonFile, readOptionalNdjsonFile, readOptionalTextFile, writeJsonFile, writeNdjsonFile, writeTextFile, } from "@audit-tools/shared";
 import { buildToolingManifest } from "./toolingManifest.js";
 // Canonical filename for the rendered findings report. Single source of truth
@@ -34,6 +34,7 @@ export const ARTIFACT_DEFINITIONS = {
     repo_manifest: jsonArtifact("repo_manifest.json", "intake"),
     file_disposition: jsonArtifact("file_disposition.json", "intake"),
     auto_fixes_applied: jsonArtifact("auto_fixes_applied.json", "intake"),
+    intent_checkpoint: jsonArtifact("intent_checkpoint.json", "intake"),
     unit_manifest: jsonArtifact("unit_manifest.json", "analysis"),
     graph_bundle: jsonArtifact("graph_bundle.json", "analysis"),
     surface_manifest: jsonArtifact("surface_manifest.json", "analysis"),
@@ -130,8 +131,9 @@ export async function cleanupIntermediateArtifacts(root) {
     return deleted;
 }
 export async function promoteFinalAuditReport(params, options = {}) {
+    const outputDir = dirname(params.artifactsDir);
     const source = join(params.artifactsDir, AUDIT_REPORT_FILENAME);
-    const destination = join(params.repoRoot, AUDIT_REPORT_FILENAME);
+    const destination = join(outputDir, AUDIT_REPORT_FILENAME);
     const copy = options.copy ?? cp;
     const remove = options.remove ?? rm;
     const warn = options.warn ?? ((message) => process.stderr.write(`${message}\n`));
@@ -147,12 +149,12 @@ export async function promoteFinalAuditReport(params, options = {}) {
     // Promote the canonical machine contract alongside the human report. Missing
     // (e.g. legacy bundle) or unreadable: best-effort, never blocks completion.
     try {
-        await copy(join(params.artifactsDir, "audit-findings.json"), join(params.repoRoot, "audit-findings.json"), { force: true });
+        await copy(join(params.artifactsDir, "audit-findings.json"), join(outputDir, "audit-findings.json"), { force: true });
     }
     catch (error) {
         // audit-findings.json is optional output; absence must not fail promotion.
         // Log so operators can distinguish a partial promotion from a clean one.
-        warn(`audit-code: could not promote audit-findings.json to ${join(params.repoRoot, "audit-findings.json")}: ` +
+        warn(`audit-code: could not promote audit-findings.json to ${join(outputDir, "audit-findings.json")}: ` +
             (error instanceof Error ? error.message : String(error)));
     }
     try {

package/dist/io/runArtifacts.js

@@ -187,7 +187,7 @@ export async function writeDispatchBatchFiles(artifactsDir, runs, currentTasks,
             "# audit-code parallel dispatch",
             "",
             `This batch launched ${runs.length} deferred review run(s).`,
-            "Each run keeps its own task.json, prompt.md, result.json, and status.json under .audit-artifacts/runs/<run_id>/.",
+            "Each run keeps its own task.json, prompt.md, result.json, and status.json under .audit-tools/audit/runs/<run_id>/.",
             "Use current-tasks.json for the combined task list. The per-run files below are operational references for launched workers; do not read per-run prompt or schema files unless debugging a failed dispatch.",
             "",
             "Runs:",

package/dist/orchestrator/advance.js

@@ -3,6 +3,7 @@ import { decideNextStep, findObligation } from "./nextStep.js";
 import { deriveAuditState } from "./state.js";
 import { computeArtifactMetadata } from "./artifactMetadata.js";
 import { runIntakeExecutor } from "./intakeExecutors.js";
+import { runIntentCheckpointExecutor } from "./intentCheckpointExecutor.js";
 import { runStructureExecutor, runDesignAssessmentExecutor, runDesignReviewAutoComplete, } from "./structureExecutors.js";
 import { runPlanningExecutor } from "./planningExecutors.js";
 import { runResultIngestionExecutor, runRuntimeValidationExecutor, runRuntimeValidationUpdateExecutor, runExternalAnalyzerImportExecutor, } from "./ingestionExecutors.js";
@@ -91,6 +92,11 @@ export async function advanceAudit(bundle, options = {}) {
                 run = await runIntakeExecutor(bundle, root);
                 break;
             }
+            case "intent_checkpoint_executor": {
+                const root = requireRoot(options.root, "intent_checkpoint_executor");
+                run = await runIntentCheckpointExecutor(bundle, root, options.since);
+                break;
+            }
             case "structure_executor":
                 // root is intentionally optional: present → buildGraphBundleFromFs, absent → manifest-only buildGraphBundle
                 run = await runStructureExecutor(bundle, options.root);

package/dist/orchestrator/dependencyMap.js

@@ -8,6 +8,13 @@ export const ARTIFACT_DEPENDENTS_MAP = {
     "tooling_manifest.json": [
         "repo_manifest.json",
     ],
+    "intent_checkpoint.json": [
+        "coverage_matrix.json",
+        "audit_tasks.json",
+        "audit_plan_metrics.json",
+        "review_packets.json",
+        "requeue_tasks.json",
+    ],
     "repo_manifest.json": [
         "file_disposition.json",
         "unit_manifest.json",