auditor-lambda 0.11.0 → 0.11.1

package/dist/cli/auditStep.js

@@ -6,6 +6,7 @@ import { advanceAudit } from "../orchestrator/advance.js";
 import { deriveAuditState } from "../orchestrator/state.js";
 import { decideNextStep } from "../orchestrator/nextStep.js";
 import { sizeIndexFromManifest } from "../orchestrator/reviewPackets.js";
+import { partitionOrphanedAuditResults } from "../orchestrator/resultIngestion.js";
 import { validateAuditResults, formatAuditResultIssues, } from "../validation/auditResults.js";
 import { formatAuditResultValidationError } from "./workerResult.js";
 import { looksLikeCliFlag, listBatchResultFiles } from "./args.js";
@@ -38,10 +39,23 @@ export async function runAuditStep(options) {
     if (looksLikeCliFlag(options.auditResultsPath)) {
         throw new Error(`Invalid audit results path '${options.auditResultsPath}'. This looks like a CLI flag rather than a file path.`);
     }
-    const auditResults = options.auditResultsPath
+    let auditResults = options.auditResultsPath
         ? await readJsonFile(options.auditResultsPath)
         : undefined;
     if (auditResults !== undefined) {
+        // Drop results whose task_id is no longer in the active manifest — e.g.
+        // selective-deepening tasks pruned by a later re-plan, whose orphaned answers
+        // would otherwise abort the whole batch at the validation gate below and
+        // strand every valid result. They cannot be ingested (coverage is keyed by
+        // the active task set), so skip-and-warn instead of throwing; results for
+        // KNOWN tasks with real errors still abort. The filtered array is what flows
+        // to advanceAudit, so orphans are neither validated nor ingested.
+        const partition = partitionOrphanedAuditResults(auditResults, new Set((bundle.audit_tasks ?? []).map((task) => task.task_id)));
+        if (partition && partition.orphanedTaskIds.length > 0) {
+            process.stderr.write(`audit-results ingestion: skipped ${partition.orphanedTaskIds.length} result(s) whose task_id ` +
+                `is not in the active manifest (orphaned by re-planning): ${partition.orphanedTaskIds.join(", ")}\n`);
+            auditResults = partition.retained;
+        }
         const issues = validateAuditResults(auditResults, bundle.audit_tasks ?? [], {
             lineIndex,
         });

package/dist/cli/dispatch.js

@@ -335,6 +335,9 @@ export function buildPacketPrompt(params) {
         "Produce one JSON array containing exactly one AuditResult object for each listed task.",
         "Windows PowerShell: do not pipe an inline foreach statement directly into ConvertTo-Json.",
         "Assign the foreach output to a variable first, then pipe that variable to ConvertTo-Json.",
+        "PowerShell also unwraps single-element arrays: @(@{...}) collapses to one object, so a",
+        "one-result submission serializes as an object (not a 1-element array) and is rejected. Wrap it",
+        "yourself: '[' + (ConvertTo-Json $obj -Depth 12) + ']', or build the array with Write-Output -NoEnumerate.",
         "",
         "Schema file (resolve relative to this prompt's directory): audit_result.schema.json",
         "  $refs resolved from the same directory: finding.schema.json, audit_task.schema.json",

package/dist/extractors/disposition.js

@@ -1,9 +1,16 @@
-import { isNodeModulesOrGit, isTmpPath, isBuildOutput, isVendorPath, isBinaryArtifact, isLicensePath, isLockfilePath, isLogPath, isDocPath, isGeneratedPath, isAuditArtifactPath, isGeneratedTestArtifactPath, isGeneratedInstallArtifactPath, isExamplesOrFixturesPath, normalizeExtractorPath, } from "./pathPatterns.js";
+import { isNodeModulesOrGit, isPackageManagerCachePath, isTmpPath, isBuildOutput, isVendorPath, isBinaryArtifact, isLicensePath, isLockfilePath, isLogPath, isDocPath, isGeneratedPath, isAuditArtifactPath, isAuditToolOutputArtifact, isGeneratedTestArtifactPath, isGeneratedInstallArtifactPath, isExamplesOrFixturesPath, normalizeExtractorPath, } from "./pathPatterns.js";
 function inferDisposition(path) {
     const normalized = normalizeExtractorPath(path);
     if (isNodeModulesOrGit(normalized)) {
         return { path, status: "excluded", reason: "node_modules or .git excluded by convention." };
     }
+    if (isPackageManagerCachePath(normalized)) {
+        return {
+            path,
+            status: "excluded",
+            reason: "Package-manager cache (npm _cacache/npm-cache) excluded by convention.",
+        };
+    }
     if (isTmpPath(normalized)) {
         return {
             path,
@@ -40,6 +47,13 @@ function inferDisposition(path) {
             reason: "Generated audit artifact.",
         };
     }
+    if (isAuditToolOutputArtifact(normalized)) {
+        return {
+            path,
+            status: "generated",
+            reason: "audit-tools pipeline output (findings/report) — a data deliverable, not source.",
+        };
+    }
     if (isGeneratedPath(normalized)) {
         return {
             path,

package/dist/extractors/pathPatterns.d.ts

@@ -24,6 +24,19 @@ export declare function isDocPath(normalized: string): boolean;
 export declare function isGeneratedInstallArtifactPath(normalized: string): boolean;
 export declare function isGeneratedTestArtifactPath(normalized: string): boolean;
 export declare function isAuditArtifactPath(normalized: string): boolean;
+/**
+ * Package-manager cache stores — npm's content-addressed `_cacache`, a nested
+ * `npm-cache`, or a local `.npm` — are dependency blobs, never the audited
+ * project's source. Smoke-test temp dirs can leave these inside the repo tree.
+ */
+export declare function isPackageManagerCachePath(normalized: string): boolean;
+/**
+ * The pipeline's own canonical machine contracts. When audit-tools audits itself
+ * (or any repo that checked one in) these are data deliverables, not source —
+ * auditing them yields only "this is JSON data" noise. The matching `*-report.md`
+ * renders are already handled as `doc_only` by `isDocPath`.
+ */
+export declare function isAuditToolOutputArtifact(normalized: string): boolean;
 export declare function isTestPath(normalized: string): boolean;
 export declare function isInterfacePath(normalized: string): boolean;
 export declare function isDataLayerPath(normalized: string): boolean;

package/dist/extractors/pathPatterns.js

@@ -22,6 +22,9 @@ const BINARY_EXTENSIONS = [
     ".otf",
     ".pdf",
     ".zip",
+    ".tgz",
+    ".tar",
+    ".gz",
 ];
 const LOCKFILE_NAMES = [
     "package-lock.json",
@@ -204,7 +207,31 @@ export function isGeneratedTestArtifactPath(normalized) {
     return splitSegments(normalized).some((segment) => segment.startsWith(".test-") && segment.endsWith("-artifacts"));
 }
 export function isAuditArtifactPath(normalized) {
-    return hasSegment(normalized, ".audit-tools");
+    return (hasSegment(normalized, ".audit-tools") ||
+        hasSegment(normalized, ".audit-artifacts"));
+}
+/**
+ * Package-manager cache stores — npm's content-addressed `_cacache`, a nested
+ * `npm-cache`, or a local `.npm` — are dependency blobs, never the audited
+ * project's source. Smoke-test temp dirs can leave these inside the repo tree.
+ */
+export function isPackageManagerCachePath(normalized) {
+    return (hasSegment(normalized, "_cacache") ||
+        hasSegment(normalized, "npm-cache") ||
+        hasSegment(normalized, ".npm"));
+}
+const AUDIT_TOOL_OUTPUT_BASENAMES = new Set([
+    "audit-findings.json",
+    "remediation-outcomes.json",
+]);
+/**
+ * The pipeline's own canonical machine contracts. When audit-tools audits itself
+ * (or any repo that checked one in) these are data deliverables, not source —
+ * auditing them yields only "this is JSON data" noise. The matching `*-report.md`
+ * renders are already handled as `doc_only` by `isDocPath`.
+ */
+export function isAuditToolOutputArtifact(normalized) {
+    return AUDIT_TOOL_OUTPUT_BASENAMES.has(baseName(normalized));
 }
 export function isTestPath(normalized) {
     const segments = splitSegments(normalized);

package/dist/orchestrator/resultIngestion.d.ts

@@ -1,3 +1,17 @@
 import type { AuditResult, AuditTask, CoverageMatrix } from "../types.js";
 export declare function ingestAuditResults(coverageMatrix: CoverageMatrix, results: AuditResult[]): CoverageMatrix;
 export declare function updateAuditTaskStatuses(tasks: AuditTask[] | undefined, results: AuditResult[]): AuditTask[] | undefined;
+/**
+ * Splits raw (unvalidated) audit results into those whose `task_id` is still in
+ * the active task manifest and those orphaned by a later re-plan (e.g. selective-
+ * deepening tasks pruned in a subsequent round). Orphaned results cannot be
+ * ingested — coverage is keyed by the active task set — and must not abort an
+ * otherwise-valid batch at the ingestion validation gate. Returns the retained
+ * results plus the orphaned task ids so the caller can skip-and-warn, or `null`
+ * when there is nothing to filter (not an array, or no active manifest yet),
+ * signaling the caller to pass the results through unchanged.
+ */
+export declare function partitionOrphanedAuditResults(results: unknown, activeTaskIds: Set<string>): {
+    retained: unknown[];
+    orphanedTaskIds: string[];
+} | null;

package/dist/orchestrator/resultIngestion.js

@@ -32,3 +32,31 @@ export function updateAuditTaskStatuses(tasks, results) {
         };
     });
 }
+/**
+ * Splits raw (unvalidated) audit results into those whose `task_id` is still in
+ * the active task manifest and those orphaned by a later re-plan (e.g. selective-
+ * deepening tasks pruned in a subsequent round). Orphaned results cannot be
+ * ingested — coverage is keyed by the active task set — and must not abort an
+ * otherwise-valid batch at the ingestion validation gate. Returns the retained
+ * results plus the orphaned task ids so the caller can skip-and-warn, or `null`
+ * when there is nothing to filter (not an array, or no active manifest yet),
+ * signaling the caller to pass the results through unchanged.
+ */
+export function partitionOrphanedAuditResults(results, activeTaskIds) {
+    if (!Array.isArray(results) || activeTaskIds.size === 0) {
+        return null;
+    }
+    const orphanedTaskIds = [];
+    const retained = results.filter((entry) => {
+        const taskId = entry && typeof entry === "object" && !Array.isArray(entry) &&
+            typeof entry.task_id === "string"
+            ? entry.task_id
+            : undefined;
+        if (taskId !== undefined && !activeTaskIds.has(taskId)) {
+            orphanedTaskIds.push(taskId);
+            return false;
+        }
+        return true;
+    });
+    return { retained, orphanedTaskIds };
+}

package/dist/prompts/renderWorkerPrompt.js

@@ -44,6 +44,9 @@ export function renderWorkerPrompt(task) {
             "Constraint: line_end must not exceed total_lines for that file.",
             "Windows PowerShell: do not pipe an inline foreach statement directly into ConvertTo-Json.",
             "Assign the foreach output to a variable first, then pipe that variable to ConvertTo-Json.",
+            "PowerShell also unwraps single-element arrays: @(@{...}) collapses to one object, so a one-result",
+            "submission serializes as an object (not a 1-element array) and is rejected. Wrap it yourself:",
+            "'[' + (ConvertTo-Json $obj -Depth 12) + ']', or build the array with Write-Output -NoEnumerate.",
             `Write only the JSON array of AuditResult objects to: ${task.audit_results_path}`,
         ];
         if (usesDeferredWorkerCommand(task)) {

package/dist/validation/auditResults.js

@@ -305,7 +305,8 @@ function validateVerificationFollowupTask(task, label, taskId, resultIndex, expe
                     result_index: resultIndex,
                     task_id: taskId,
                     field: `${label}.file_paths[${index}]`,
-                    message: `${label}.file_paths[${index}] references '${path}', which is outside the verification task's file_coverage.`,
+                    message: `${label}.file_paths[${index}] references '${path}', which is outside the verification task's file_coverage. ` +
+                        `Followup tasks list files in 'file_paths' (array of strings), not 'file_coverage'; allowed: ${[...allowedPaths].join(", ")}.`,
                 });
             }
         }
@@ -481,7 +482,8 @@ export function validateAuditResults(results, tasks, options = {}) {
                         result_index: i,
                         task_id: taskId,
                         field: `file_coverage[${j}].path`,
-                        message: `file_coverage path '${entry.path}' is not listed in the task file_paths.`,
+                        message: `file_coverage path '${entry.path}' is not listed in the task file_paths. ` +
+                            `Declare only assigned files; allowed for this task: ${task.file_paths.join(", ")}.`,
                     });
                 }
                 else if (seenCoveragePaths.has(entryNorm)) {
@@ -595,7 +597,9 @@ export function validateAuditResults(results, tasks, options = {}) {
                         result_index: i,
                         task_id: taskId,
                         field: `${label}.affected_files[${k}].path`,
-                        message: `affected_files path '${affected.path}' is not in the declared assigned file_coverage.`,
+                        message: `affected_files path '${affected.path}' is not in the declared assigned file_coverage. ` +
+                            `Add it to this result's file_coverage first` +
+                            (task ? `; the task's assigned files are: ${task.file_paths.join(", ")}.` : "."),
                     });
                     continue;
                 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auditor-lambda",
-  "version": "0.11.0",
+  "version": "0.11.1",
   "private": false,
   "description": "Portable hybrid code-auditing framework for arbitrary repositories.",
   "type": "module",