auditor-lambda 0.2.1 → 0.2.3

package/dist/adapters/eslint.js

@@ -1,8 +1,10 @@
 import { normalizeGenericExternalResults } from "./normalizeExternal.js";
+const ESLINT_SEVERITY_ERROR = 2;
+const ESLINT_SEVERITY_WARNING = 1;
 function mapSeverity(value) {
-    if (value === 2)
+    if (value === ESLINT_SEVERITY_ERROR)
         return "medium";
-    if (value === 1)
+    if (value === ESLINT_SEVERITY_WARNING)
         return "low";
     return "info";
 }

package/dist/adapters/npmAudit.js

@@ -1,7 +1,7 @@
 import { normalizeGenericExternalResults } from "./normalizeExternal.js";
 export function normalizeNpmAuditJson(input) {
     return normalizeGenericExternalResults("npm-audit", Object.entries(input.vulnerabilities ?? {}).map(([pkg, vuln], index) => ({
-        id: `npm-audit-${index + 1}`,
+        id: `npm-audit-${index}`,
         category: "dependency_risk",
         severity: vuln.severity ?? "unknown",
         path: "package-lock.json",

package/dist/cli.js

@@ -1,4 +1,4 @@
-import { mkdir } from "node:fs/promises";
+import { access, mkdir } from "node:fs/promises";
 import { createReadStream } from "node:fs";
 import { join, resolve } from "node:path";
 import { buildRepoManifest } from "./extractors/fileInventory.js";
@@ -24,8 +24,11 @@ import { buildAuditCodeHandoff, writeAuditCodeHandoffArtifacts, } from "./superv
 import { getSessionConfigPath, loadSessionConfig, readSessionConfigFile, } from "./supervisor/sessionConfig.js";
 import { buildRunId, ensureSupervisorDirs, getRunPaths, writeWorkerTaskFiles, } from "./io/runArtifacts.js";
 import { renderWorkerPrompt } from "./prompts/renderWorkerPrompt.js";
+import { LOCAL_SUBPROCESS_PROVIDER_NAME } from "./providers/constants.js";
 const ADVANCE_AUDIT_CONTRACT_VERSION = "audit-code/v1alpha1";
 const WORKER_RESULT_CONTRACT_VERSION = "audit-code-worker-result/v1alpha1";
+const DEFAULT_MAX_RUNS = 1000;
+const DEFAULT_TIMEOUT_MS = 30 * 60 * 1000; // 30 minutes
 const sampleFiles = [
     { path: "src/api/auth.ts", size_bytes: 1240, hash: "abc123" },
     { path: "src/lib/session.ts", size_bytes: 980, hash: "def456" },
@@ -48,8 +51,8 @@ function getRootDir(argv) {
     return resolve(getFlag(argv, "--root", "."));
 }
 function getMaxRuns(argv) {
-    const raw = Number(getFlag(argv, "--max-runs", "1000"));
-    return Number.isFinite(raw) && raw > 0 ? Math.floor(raw) : 1000;
+    const raw = Number(getFlag(argv, "--max-runs", String(DEFAULT_MAX_RUNS)));
+    return Number.isFinite(raw) && raw > 0 ? Math.floor(raw) : DEFAULT_MAX_RUNS;
 }
 function getAgentBatchSize(argv, sessionConfig) {
     const fromArg = getFlag(argv, "--agent-batch-size");
@@ -58,8 +61,7 @@ function getAgentBatchSize(argv, sessionConfig) {
         if (Number.isFinite(parsed) && parsed > 0)
             return Math.floor(parsed);
     }
-    if (typeof sessionConfig.agent_task_batch_size === "number" &&
-        sessionConfig.agent_task_batch_size > 0) {
+    if (typeof sessionConfig.agent_task_batch_size === "number" && sessionConfig.agent_task_batch_size > 0) {
         return Math.floor(sessionConfig.agent_task_batch_size);
     }
     return 1;
@@ -71,8 +73,7 @@ function getParallelWorkers(argv, sessionConfig) {
         if (Number.isFinite(parsed) && parsed > 0)
             return Math.floor(parsed);
     }
-    if (typeof sessionConfig.parallel_workers === "number" &&
-        sessionConfig.parallel_workers > 0) {
+    if (typeof sessionConfig.parallel_workers === "number" && sessionConfig.parallel_workers > 0) {
         return Math.floor(sessionConfig.parallel_workers);
     }
     return 1;
@@ -113,6 +114,7 @@ async function emitEnvelope(params) {
         bundle: params.bundle,
         providerName: params.providerName,
         progressSummary: params.progress_summary,
+        isConfigError: params.isConfigError,
     });
     await writeAuditCodeHandoffArtifacts(handoff);
     console.log(JSON.stringify(buildEnvelope({
@@ -127,7 +129,7 @@ async function emitEnvelope(params) {
     }), null, 2));
 }
 function buildManualReviewBlocker(providerName) {
-    return providerName === "local-subprocess"
+    return providerName === LOCAL_SUBPROCESS_PROVIDER_NAME
         ? "Automatic local-subprocess work is exhausted. Remaining audit tasks require explicit audit results or an interactive provider such as claude-code, opencode, or subprocess-template."
         : "Automatic work is exhausted. Remaining audit tasks require explicit audit results or an interactive provider.";
 }
@@ -159,8 +161,9 @@ function buildBlockedAuditState(params) {
 }
 async function countLines(path) {
     return new Promise((resolve, reject) => {
-        let lines = 1;
+        let lines = 0;
         let byteCount = 0;
+        let lastByte = -1;
         const stream = createReadStream(path);
         stream.on("data", (chunk) => {
             const buffer = typeof chunk === "string" ? Buffer.from(chunk) : chunk;
@@ -168,9 +171,15 @@ async function countLines(path) {
             for (let i = 0; i < buffer.length; ++i) {
                 if (buffer[i] === 10)
                     lines++;
+                lastByte = buffer[i];
             }
         });
-        stream.on("end", () => resolve(byteCount === 0 ? 0 : lines));
+        stream.on("end", () => {
+            if (byteCount === 0)
+                return resolve(0);
+            // Files not ending with \n have one final line not counted above
+            resolve(lastByte !== 10 ? lines + 1 : lines);
+        });
         stream.on("error", reject);
     });
 }
@@ -194,20 +203,29 @@ async function buildLineIndex(root, repoManifest) {
     }
     return Object.fromEntries(entries);
 }
-function resolveModelForTasks(tasks, sessionConfig) {
-    if (!sessionConfig.model_tiers)
-        return undefined;
-    const tiers = [
-        "capable",
-        "balanced",
-        "fast",
-    ];
-    for (const tier of tiers) {
-        if (tasks.some((t) => t.model_hint === tier)) {
-            return sessionConfig.model_tiers[tier];
+const PROJECT_SIGNALS = [
+    "package.json",
+    "go.mod",
+    "Cargo.toml",
+    "pom.xml",
+    "build.gradle",
+    "pyproject.toml",
+    "setup.py",
+    "setup.cfg",
+    "Makefile",
+    "CMakeLists.txt",
+];
+async function detectProjectRoot(root) {
+    for (const signal of PROJECT_SIGNALS) {
+        try {
+            await access(join(root, signal));
+            return signal;
+        }
+        catch {
+            // not found, try next
         }
     }
-    return undefined;
+    return null;
 }
 function buildPendingAuditTasks(bundle) {
     const completedTaskIds = new Set((bundle.audit_results ?? []).map((result) => result.task_id));
@@ -337,10 +355,39 @@ async function cmdRunToCompletion(argv) {
     const maxRuns = getMaxRuns(argv);
     const agentBatchSize = getAgentBatchSize(argv, sessionConfig);
     const parallelWorkers = getParallelWorkers(argv, sessionConfig);
-    const timeoutMs = sessionConfig.timeout_ms ?? 30 * 60 * 1000;
+    const timeoutMs = sessionConfig.timeout_ms ?? DEFAULT_TIMEOUT_MS;
     const selfCliPath = resolve(process.argv[1] ?? "");
     await mkdir(artifactsDir, { recursive: true });
     await ensureSupervisorDirs(artifactsDir);
+    const earlyBundle = await loadArtifactBundle(artifactsDir);
+    if (!earlyBundle.unit_manifest) {
+        const foundSignal = await detectProjectRoot(root);
+        if (!foundSignal) {
+            const blocker = `No recognisable project signals found in ${root}. Expected one of: ${PROJECT_SIGNALS.join(", ")}. Check that --root points to the repository root, not a subdirectory or an unrelated path.`;
+            const earlyState = deriveAuditState(earlyBundle);
+            const blockedState = buildBlockedAuditState({
+                state: earlyState,
+                obligationId: null,
+                executor: null,
+                blocker,
+            });
+            await emitEnvelope({
+                root,
+                artifactsDir,
+                bundle: { ...earlyBundle, audit_state: blockedState },
+                audit_state: blockedState,
+                selected_obligation: null,
+                selected_executor: null,
+                progress_made: false,
+                artifacts_written: [],
+                progress_summary: blocker,
+                next_likely_step: null,
+                providerName: provider.name,
+                isConfigError: true,
+            });
+            return;
+        }
+    }
     let pendingAuditResultsPath = getFlag(argv, "--results");
     let pendingRuntimeUpdatesPath = getFlag(argv, "--updates");
     let pendingExternalAnalyzerPath = getFlag(argv, "--external-analyzer-results");
@@ -371,7 +418,7 @@ async function cmdRunToCompletion(argv) {
             obligationId = "runtime_validation_current";
             runtimeUpdatesPath = pendingRuntimeUpdatesPath;
         }
-        if (preferredExecutor === "agent" && provider.name === "local-subprocess") {
+        if (preferredExecutor === "agent" && provider.name === LOCAL_SUBPROCESS_PROVIDER_NAME) {
             const blocker = buildManualReviewBlocker(provider.name);
             const blockedState = buildBlockedAuditState({
                 state: bundle.audit_state ?? decision.state,
@@ -468,13 +515,7 @@ async function cmdRunToCompletion(argv) {
                     obligation_id: obligationId,
                     preferred_executor: "agent",
                     result_path: slotPaths.resultPath,
-                    worker_command: [
-                        process.execPath,
-                        selfCliPath,
-                        "worker-run",
-                        "--task",
-                        slotPaths.taskPath,
-                    ],
+                    worker_command: [process.execPath, selfCliPath, "worker-run", "--task", slotPaths.taskPath],
                     audit_results_path: slotAuditResultsPath,
                     pending_audit_tasks_path: slotPendingTasksPath,
                     skip_worker_command: true,
@@ -482,13 +523,7 @@ async function cmdRunToCompletion(argv) {
                 const slotPrompt = renderWorkerPrompt(slotTask);
                 await writeWorkerTaskFiles(slotTask, slotPrompt, slotPaths, artifactsDir);
                 await writeJsonFile(slotPendingTasksPath, group);
-                workerSlots.push({
-                    runId: slotRunId,
-                    paths: slotPaths,
-                    auditResultsPath: slotAuditResultsPath,
-                    pendingTasksPath: slotPendingTasksPath,
-                    group,
-                });
+                workerSlots.push({ runId: slotRunId, paths: slotPaths, auditResultsPath: slotAuditResultsPath, pendingTasksPath: slotPendingTasksPath, group });
             }
             const parallelStartedAt = new Date().toISOString();
             await Promise.allSettled(workerSlots.map((slot) => provider.launch({
@@ -502,8 +537,10 @@ async function cmdRunToCompletion(argv) {
                 stderrPath: slot.paths.stderrPath,
                 uiMode,
                 timeoutMs,
-                model: resolveModelForTasks(slot.group, sessionConfig),
             })));
+            // Result ingestion is intentionally sequential even though agent launch
+            // was parallel. Writing to coverage_matrix.json is not atomic, so
+            // concurrent ingest calls would race and corrupt coverage state.
             let batchProgress = false;
             for (const slot of workerSlots) {
                 const parallelEndedAt = new Date().toISOString();
@@ -520,8 +557,7 @@ async function cmdRunToCompletion(argv) {
                     const warnings = issues.filter((issue) => issue.severity === "warning");
                     if (warnings.length > 0) {
                         process.stderr.write(`audit-results validation: ${warnings.length} warning(s) for ${slot.runId}:\n` +
-                            formatAuditResultIssues(warnings) +
-                            "\n");
+                            formatAuditResultIssues(warnings) + "\n");
                     }
                     if (errors.length > 0) {
                         throw new Error(`audit-results validation failed with ${errors.length} error(s):\n` +
@@ -626,9 +662,6 @@ async function cmdRunToCompletion(argv) {
                 stderrPath: paths.stderrPath,
                 uiMode,
                 timeoutMs,
-                model: pendingAuditTasks
-                    ? resolveModelForTasks(pendingAuditTasks, sessionConfig)
-                    : undefined,
             });
             const candidate = await readJsonFile(paths.resultPath);
             workerResult = isWorkerResult(candidate)
@@ -881,7 +914,11 @@ async function cmdValidate(argv) {
     const providerIssues = rawSessionConfig === undefined || sessionConfigIssues.length > 0
         ? []
         : prefixValidationIssues("session_config", validateConfiguredProviderEnvironment(rawSessionConfig));
-    const issues = [...artifactIssues, ...sessionConfigIssues, ...providerIssues];
+    const issues = [
+        ...artifactIssues,
+        ...sessionConfigIssues,
+        ...providerIssues,
+    ];
     const resolvedProvider = rawSessionConfig === undefined
         ? "local-subprocess"
         : sessionConfigIssues.length > 0

package/dist/extractors/bucketing.js

@@ -1,3 +1,4 @@
+import { isNodeModulesOrGit, isTestPath, isInterfacePath, isDataLayerPath, isSecuritySensitivePath, isConcurrencyPath, isScriptPath, isDeploymentConfigPath, isDocPath, isGeneratedPath, } from "./pathPatterns.js";
 function addBucket(buckets, rationale, bucket, reason) {
     if (!buckets.has(bucket)) {
         buckets.add(bucket);
@@ -8,57 +9,35 @@ export function bucketFile(path) {
     const normalized = path.toLowerCase();
     const buckets = new Set();
     const rationale = [];
-    if (normalized.includes("test") ||
-        normalized.includes("spec") ||
-        normalized.includes("__tests__")) {
+    if (isNodeModulesOrGit(normalized)) {
+        addBucket(buckets, rationale, "generated_vendor", "node_modules or .git excluded by convention");
+        return { path, buckets: [...buckets], rationale };
+    }
+    if (isTestPath(normalized)) {
         addBucket(buckets, rationale, "tests", "path suggests tests");
     }
-    if (normalized.includes("route") ||
-        normalized.includes("controller") ||
-        normalized.includes("handler") ||
-        normalized.includes("api/")) {
+    if (isInterfacePath(normalized)) {
         addBucket(buckets, rationale, "interface", "path suggests interface code");
     }
-    if (normalized.includes("model") ||
-        normalized.includes("schema") ||
-        normalized.includes("migration") ||
-        normalized.includes("seed") ||
-        normalized.includes("db/")) {
+    if (isDataLayerPath(normalized)) {
         addBucket(buckets, rationale, "data_layer", "path suggests data-layer code");
     }
-    if (normalized.includes("auth") ||
-        normalized.includes("secret") ||
-        normalized.includes("token") ||
-        normalized.includes("permission") ||
-        normalized.includes("session")) {
+    if (isSecuritySensitivePath(normalized)) {
         addBucket(buckets, rationale, "security_sensitive", "path suggests security-sensitive code");
     }
-    if (normalized.includes("queue") ||
-        normalized.includes("worker") ||
-        normalized.includes("job") ||
-        normalized.includes("cache") ||
-        normalized.includes("retry") ||
-        normalized.includes("lock")) {
+    if (isConcurrencyPath(normalized)) {
         addBucket(buckets, rationale, "concurrency_state", "path suggests concurrency or stateful behavior");
     }
-    if (normalized.includes("script") ||
-        normalized.startsWith("scripts/") ||
-        normalized.startsWith("bin/")) {
+    if (isScriptPath(normalized)) {
         addBucket(buckets, rationale, "tooling_scripts", "path suggests tooling or scripts");
     }
-    if (normalized.includes("docker") ||
-        normalized.includes("terraform") ||
-        normalized.includes("deploy") ||
-        normalized.includes("workflow") ||
-        normalized.includes("k8s") ||
-        normalized.endsWith(".yml") ||
-        normalized.endsWith(".yaml")) {
+    if (isDeploymentConfigPath(normalized)) {
         addBucket(buckets, rationale, "config_deployment", "path suggests config or deployment artifact");
     }
-    if (normalized.endsWith(".md") || normalized.startsWith("docs/")) {
+    if (isDocPath(normalized)) {
         addBucket(buckets, rationale, "docs_specs", "path suggests documentation");
     }
-    if (normalized.includes("vendor") || normalized.includes("generated")) {
+    if (isGeneratedPath(normalized)) {
         addBucket(buckets, rationale, "generated_vendor", "path suggests generated or vendored content");
     }
     if (buckets.size === 0) {

package/dist/extractors/disposition.js

@@ -1,24 +1,23 @@
+import { isNodeModulesOrGit, isBuildOutput, isVendorPath, isBinaryArtifact, isDocPath, } from "./pathPatterns.js";
 function inferDisposition(path) {
     const normalized = path.toLowerCase();
-    if (normalized.startsWith("dist/") || normalized.startsWith("build/")) {
+    if (isNodeModulesOrGit(normalized)) {
+        return { path, status: "excluded", reason: "node_modules or .git excluded by convention." };
+    }
+    if (isBuildOutput(normalized)) {
         return { path, status: "generated", reason: "Build output path." };
     }
-    if (normalized.includes("vendor") || normalized.includes("third_party")) {
+    if (isVendorPath(normalized)) {
         return { path, status: "vendor", reason: "Vendor or third-party path." };
     }
-    if (normalized.endsWith(".png") ||
-        normalized.endsWith(".jpg") ||
-        normalized.endsWith(".jpeg") ||
-        normalized.endsWith(".gif") ||
-        normalized.endsWith(".pdf") ||
-        normalized.endsWith(".zip")) {
+    if (isBinaryArtifact(normalized)) {
         return {
             path,
             status: "binary",
             reason: "Non-source binary-like artifact.",
         };
     }
-    if (normalized.endsWith(".md") || normalized.startsWith("docs/")) {
+    if (isDocPath(normalized)) {
         return { path, status: "doc_only", reason: "Documentation artifact." };
     }
     return {

package/dist/extractors/fileInventory.js

@@ -6,8 +6,6 @@ function inferLanguage(path) {
             return "typescript";
         case "js":
         case "jsx":
-        case "mjs":
-        case "cjs":
             return "javascript";
         case "py":
             return "python";

package/dist/extractors/flows.js

@@ -1,27 +1,18 @@
 import { isAuditExcludedStatus } from "./disposition.js";
+import { isSecuritySensitivePath, isDataLayerPath, isConcurrencyPath, isInterfacePath, isDeploymentConfigPath, } from "./pathPatterns.js";
 function inferConcerns(paths) {
     const concerns = new Set();
     for (const path of paths) {
         const normalized = path.toLowerCase();
-        if (normalized.includes("auth") ||
-            normalized.includes("token") ||
-            normalized.includes("session"))
+        if (isSecuritySensitivePath(normalized))
             concerns.add("security");
-        if (normalized.includes("db") ||
-            normalized.includes("model") ||
-            normalized.includes("schema") ||
-            normalized.includes("migration") ||
+        if (isDataLayerPath(normalized) ||
             normalized.includes("invoice") ||
             normalized.includes("payment"))
             concerns.add("data_integrity");
-        if (normalized.includes("worker") ||
-            normalized.includes("job") ||
-            normalized.includes("retry") ||
-            normalized.includes("queue"))
+        if (isConcurrencyPath(normalized))
             concerns.add("reliability");
-        if (normalized.includes("api") ||
-            normalized.includes("route") ||
-            normalized.includes("controller"))
+        if (isInterfacePath(normalized))
             concerns.add("correctness");
     }
     return concerns.size > 0 ? [...concerns] : ["correctness"];
@@ -33,13 +24,15 @@ function relatedPaths(entry, availablePaths) {
         const lower = path.toLowerCase();
         if (path === entry)
             continue;
-        if ((normalized.includes("auth") || normalized.includes("session")) &&
+        // Auth / session flows: link sibling auth, session, token, user paths
+        if (isSecuritySensitivePath(normalized) &&
             (lower.includes("auth") ||
                 lower.includes("session") ||
                 lower.includes("token") ||
                 lower.includes("user"))) {
             linked.add(path);
         }
+        // Billing / payment flows: link ledger and subscription paths
         if ((normalized.includes("billing") ||
             normalized.includes("invoice") ||
             normalized.includes("payment")) &&
@@ -50,9 +43,8 @@ function relatedPaths(entry, availablePaths) {
                 lower.includes("subscription"))) {
             linked.add(path);
         }
-        if ((normalized.includes("job") ||
-            normalized.includes("worker") ||
-            normalized.includes("queue")) &&
+        // Async / queue flows: link worker, job, retry, and task paths
+        if (isConcurrencyPath(normalized) &&
             (lower.includes("queue") ||
                 lower.includes("retry") ||
                 lower.includes("worker") ||
@@ -60,7 +52,8 @@ function relatedPaths(entry, availablePaths) {
                 lower.includes("task"))) {
             linked.add(path);
         }
-        if ((normalized.includes("deploy") || normalized.includes("docker")) &&
+        // Deployment / infra flows: link docker, k8s, terraform, workflow paths
+        if (isDeploymentConfigPath(normalized) &&
             (lower.includes("deploy") ||
                 lower.includes("docker") ||
                 lower.includes("workflow") ||
@@ -75,7 +68,7 @@ function dedupeFlows(flows) {
     const seen = new Set();
     const deduped = [];
     for (const flow of flows) {
-        const signature = `${flow.name}|${flow.paths.join(",")}|${flow.concerns.join(",")}`;
+        const signature = `${flow.name}|${[...flow.paths].sort().join(",")}|${[...flow.concerns].sort().join(",")}`;
         if (seen.has(signature))
             continue;
         seen.add(signature);
@@ -108,9 +101,7 @@ export function buildCriticalFlowManifest(repoManifest, surfaceManifest, disposi
     }
     for (const path of availablePaths) {
         const lower = path.toLowerCase();
-        if (lower.includes("migration") ||
-            lower.includes("schema") ||
-            lower.includes("seed")) {
+        if (isDataLayerPath(lower) || lower.includes("seed")) {
             flows.push({
                 id: `flow:data:${path.replace(/[^a-zA-Z0-9:_-]/g, "-")}`,
                 name: `data evolution flow for ${path}`,

package/dist/extractors/fsIntake.js

@@ -22,7 +22,10 @@ function shouldIgnore(relativePath, ignores) {
     const normalized = normalizePath(relativePath);
     return ignores.some((ignore) => {
         const value = normalizePath(ignore);
-        return normalized === value || normalized.startsWith(`${value}/`);
+        return (normalized === value ||
+            normalized.startsWith(`${value}/`) ||
+            normalized.includes(`/${value}/`) ||
+            normalized.endsWith(`/${value}`));
     });
 }
 async function maybeHashFile(path, enabled) {

package/dist/extractors/pathPatterns.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Centralised path-pattern predicates shared across disposition, bucketing,
+ * surfaces, and flows extractors.  Every function operates on the
+ * already-lower-cased form of the path.
+ */
+export declare function isNodeModulesOrGit(normalized: string): boolean;
+export declare function isBuildOutput(normalized: string): boolean;
+export declare function isVendorPath(normalized: string): boolean;
+export declare function isBinaryArtifact(normalized: string): boolean;
+export declare function isDocPath(normalized: string): boolean;
+export declare function isTestPath(normalized: string): boolean;
+export declare function isInterfacePath(normalized: string): boolean;
+export declare function isDataLayerPath(normalized: string): boolean;
+export declare function isSecuritySensitivePath(normalized: string): boolean;
+export declare function isConcurrencyPath(normalized: string): boolean;
+export declare function isScriptPath(normalized: string): boolean;
+export declare function isDeploymentConfigPath(normalized: string): boolean;
+export declare function isGeneratedPath(normalized: string): boolean;
+export declare function isSurfacePath(normalized: string): boolean;

package/dist/extractors/pathPatterns.js

@@ -0,0 +1,91 @@
+/**
+ * Centralised path-pattern predicates shared across disposition, bucketing,
+ * surfaces, and flows extractors.  Every function operates on the
+ * already-lower-cased form of the path.
+ */
+export function isNodeModulesOrGit(normalized) {
+    return (normalized === "node_modules" ||
+        normalized.startsWith("node_modules/") ||
+        normalized.includes("/node_modules/") ||
+        normalized.endsWith("/node_modules") ||
+        normalized === ".git" ||
+        normalized.startsWith(".git/") ||
+        normalized.includes("/.git/") ||
+        normalized.endsWith("/.git"));
+}
+export function isBuildOutput(normalized) {
+    return normalized.startsWith("dist/") || normalized.startsWith("build/");
+}
+export function isVendorPath(normalized) {
+    return normalized.includes("vendor") || normalized.includes("third_party");
+}
+export function isBinaryArtifact(normalized) {
+    return (normalized.endsWith(".png") ||
+        normalized.endsWith(".jpg") ||
+        normalized.endsWith(".jpeg") ||
+        normalized.endsWith(".gif") ||
+        normalized.endsWith(".pdf") ||
+        normalized.endsWith(".zip"));
+}
+export function isDocPath(normalized) {
+    return normalized.endsWith(".md") || normalized.startsWith("docs/");
+}
+export function isTestPath(normalized) {
+    return (normalized.includes("test") ||
+        normalized.includes("spec") ||
+        normalized.includes("__tests__"));
+}
+export function isInterfacePath(normalized) {
+    return (normalized.includes("route") ||
+        normalized.includes("controller") ||
+        normalized.includes("handler") ||
+        normalized.includes("api/"));
+}
+export function isDataLayerPath(normalized) {
+    return (normalized.includes("model") ||
+        normalized.includes("schema") ||
+        normalized.includes("migration") ||
+        normalized.includes("seed") ||
+        normalized.includes("db/"));
+}
+export function isSecuritySensitivePath(normalized) {
+    return (normalized.includes("auth") ||
+        normalized.includes("secret") ||
+        normalized.includes("token") ||
+        normalized.includes("permission") ||
+        normalized.includes("session"));
+}
+export function isConcurrencyPath(normalized) {
+    return (normalized.includes("queue") ||
+        normalized.includes("worker") ||
+        normalized.includes("job") ||
+        normalized.includes("cache") ||
+        normalized.includes("retry") ||
+        normalized.includes("lock"));
+}
+export function isScriptPath(normalized) {
+    return (normalized.includes("script") ||
+        normalized.startsWith("scripts/") ||
+        normalized.startsWith("bin/"));
+}
+export function isDeploymentConfigPath(normalized) {
+    return (normalized.includes("docker") ||
+        normalized.includes("terraform") ||
+        normalized.includes("deploy") ||
+        normalized.includes("workflow") ||
+        normalized.includes("k8s") ||
+        normalized.endsWith(".yml") ||
+        normalized.endsWith(".yaml"));
+}
+export function isGeneratedPath(normalized) {
+    return normalized.includes("vendor") || normalized.includes("generated");
+}
+export function isSurfacePath(normalized) {
+    return (normalized.includes("api/") ||
+        normalized.includes("route") ||
+        normalized.includes("controller") ||
+        normalized.includes("worker") ||
+        normalized.includes("job") ||
+        normalized.includes("command") ||
+        normalized.includes("cli"));
+}

package/dist/extractors/surfaces.js

@@ -1,4 +1,5 @@
 import { isAuditExcludedStatus } from "./disposition.js";
+import { isSurfacePath } from "./pathPatterns.js";
 function methodsForPath(path) {
     const normalized = path.toLowerCase();
     if (normalized.includes("api") || normalized.includes("route")) {
@@ -15,13 +16,7 @@ export function buildSurfaceManifest(repoManifest, disposition) {
             continue;
         }
         const normalized = file.path.toLowerCase();
-        if (normalized.includes("api/") ||
-            normalized.includes("route") ||
-            normalized.includes("controller") ||
-            normalized.includes("worker") ||
-            normalized.includes("job") ||
-            normalized.includes("command") ||
-            normalized.includes("cli")) {
+        if (isSurfacePath(normalized)) {
             surfaces.push({
                 id: `surface:${file.path}`,
                 kind: normalized.includes("worker") || normalized.includes("job")