auditor-lambda 0.2.12 → 0.2.13

package/dist/cli.js

@@ -400,7 +400,7 @@ async function ingestBatchAuditResults(options) {
     }
     const bundle = lastStep?.updated_bundle ??
         (await loadArtifactBundle(options.artifactsDir));
-    const state = lastStep?.audit_state ?? deriveAuditState(bundle);
+    const state = deriveAuditState(bundle);
     const decision = decideNextStep(bundle);
     return {
         batchFiles,
@@ -720,7 +720,7 @@ async function cmdRunToCompletion(argv) {
         if (preferredExecutor === "agent" && provider.name === LOCAL_SUBPROCESS_PROVIDER_NAME) {
             const blocker = buildManualReviewBlocker(provider.name);
             const blockedState = buildBlockedAuditState({
-                state: bundle.audit_state ?? decision.state,
+                state: decision.state,
                 obligationId,
                 executor: preferredExecutor,
                 blocker,
@@ -784,7 +784,7 @@ async function cmdRunToCompletion(argv) {
             return;
         }
         if (!preferredExecutor) {
-            const state = bundle.audit_state ?? decision.state;
+            const state = decision.state;
             await clearDispatchFiles(artifactsDir);
             await emitEnvelope({
                 root,
@@ -1251,12 +1251,12 @@ async function cmdRunToCompletion(argv) {
             const shouldBlock = workerResult.status === "failed" || workerResult.status === "blocked";
             const state = shouldBlock
                 ? buildBlockedAuditState({
-                    state: bundleAfter.audit_state ?? deriveAuditState(bundleAfter),
+                    state: deriveAuditState(bundleAfter),
                     obligationId: workerResult.obligation_id,
                     executor: workerResult.selected_executor,
                     blocker: buildWorkerFailureBlocker(workerResult),
                 })
-                : bundleAfter.audit_state ?? deriveAuditState(bundleAfter);
+                : deriveAuditState(bundleAfter);
             if (shouldBlock) {
                 await writeCoreArtifacts(artifactsDir, {
                     ...bundleAfter,
@@ -1285,7 +1285,7 @@ async function cmdRunToCompletion(argv) {
     }
     const bundle = await loadArtifactBundle(artifactsDir);
     const decision = decideNextStep(bundle);
-    const state = bundle.audit_state ?? decision.state;
+    const state = decision.state;
     if (state.status === "complete") {
         await clearDispatchFiles(artifactsDir);
     }

package/dist/extractors/disposition.js

@@ -1,4 +1,4 @@
-import { isNodeModulesOrGit, isBuildOutput, isVendorPath, isBinaryArtifact, isLicensePath, isLockfilePath, isLogPath, isDocPath, isGeneratedInstallArtifactPath, normalizeExtractorPath, } from "./pathPatterns.js";
+import { isNodeModulesOrGit, isBuildOutput, isVendorPath, isBinaryArtifact, isLicensePath, isLockfilePath, isLogPath, isDocPath, isAuditArtifactPath, isGeneratedInstallArtifactPath, normalizeExtractorPath, } from "./pathPatterns.js";
 function inferDisposition(path) {
     const normalized = normalizeExtractorPath(path);
     if (isNodeModulesOrGit(normalized)) {
@@ -26,6 +26,13 @@ function inferDisposition(path) {
     if (isLockfilePath(normalized)) {
         return { path, status: "generated", reason: "Lockfile excluded from code audit scope." };
     }
+    if (isAuditArtifactPath(normalized)) {
+        return {
+            path,
+            status: "generated",
+            reason: "Generated audit artifact.",
+        };
+    }
     if (isDocPath(normalized)) {
         return { path, status: "doc_only", reason: "Documentation artifact." };
     }

package/dist/extractors/pathPatterns.d.ts

@@ -14,6 +14,7 @@ export declare function isLicensePath(normalized: string): boolean;
 export declare function isLockfilePath(normalized: string): boolean;
 export declare function isDocPath(normalized: string): boolean;
 export declare function isGeneratedInstallArtifactPath(normalized: string): boolean;
+export declare function isAuditArtifactPath(normalized: string): boolean;
 export declare function isTestPath(normalized: string): boolean;
 export declare function isInterfacePath(normalized: string): boolean;
 export declare function isDataLayerPath(normalized: string): boolean;

package/dist/extractors/pathPatterns.js

@@ -103,6 +103,9 @@ export function isDocPath(normalized) {
 export function isGeneratedInstallArtifactPath(normalized) {
     return normalized.startsWith(".audit-code/install/");
 }
+export function isAuditArtifactPath(normalized) {
+    return splitSegments(normalized).some((segment) => segment.startsWith(".audit-artifacts"));
+}
 export function isTestPath(normalized) {
     return includesAny(normalized, TEST_KEYWORDS);
 }

package/dist/io/artifacts.d.ts

@@ -9,6 +9,7 @@ import type { GraphBundle } from "../types/graph.js";
 import type { RiskRegister } from "../types/risk.js";
 import type { RuntimeValidationReport, RuntimeValidationTaskManifest } from "../types/runtimeValidation.js";
 import type { SurfaceManifest } from "../types/surfaces.js";
+import type { ToolingManifest } from "../types/toolingManifest.js";
 type ArtifactPayloadMap = {
     repo_manifest: RepoManifest;
     file_disposition: FileDisposition;
@@ -29,6 +30,7 @@ type ArtifactPayloadMap = {
     audit_report: string;
     audit_state: AuditState;
     artifact_metadata: ArtifactMetadataManifest;
+    tooling_manifest: ToolingManifest;
 };
 /**
  * Audit artifacts accumulate phase-by-phase as the orchestrator advances.
@@ -63,6 +65,7 @@ export declare const ARTIFACT_DEFINITIONS: {
     readonly audit_report: ArtifactDefinition<"audit_report">;
     readonly audit_state: ArtifactDefinition<"audit_state">;
     readonly artifact_metadata: ArtifactDefinition<"artifact_metadata">;
+    readonly tooling_manifest: ArtifactDefinition<"tooling_manifest">;
 };
 export declare const ARTIFACT_FILE_TO_BUNDLE_KEY: Record<string, ArtifactBundleKey>;
 export declare function getArtifactValue(bundle: ArtifactBundle, artifactName: string): unknown;

package/dist/io/artifacts.js

@@ -1,6 +1,7 @@
 import { cp, rm, unlink } from "node:fs/promises";
 import { join } from "node:path";
 import { isFileMissingError, readOptionalJsonFile, readOptionalNdjsonFile, readOptionalTextFile, writeJsonFile, writeNdjsonFile, writeTextFile, } from "./json.js";
+import { buildToolingManifest } from "./toolingManifest.js";
 function jsonArtifact(fileName, phase) {
     return {
         fileName,
@@ -45,6 +46,7 @@ export const ARTIFACT_DEFINITIONS = {
     audit_report: textArtifact("audit-report.md", "reporting"),
     audit_state: jsonArtifact("audit_state.json", "supervisor"),
     artifact_metadata: jsonArtifact("artifact_metadata.json", "supervisor"),
+    tooling_manifest: jsonArtifact("tooling_manifest.json", "supervisor"),
 };
 const ARTIFACT_ENTRIES = Object.entries(ARTIFACT_DEFINITIONS);
 export const ARTIFACT_FILE_TO_BUNDLE_KEY = Object.fromEntries(ARTIFACT_ENTRIES.map(([key, definition]) => [definition.fileName, key]));
@@ -62,6 +64,7 @@ export async function loadArtifactBundle(root) {
             bundleRecord[key] = value;
         }
     }
+    bundle.tooling_manifest = await buildToolingManifest();
     return bundle;
 }
 export async function writeCoreArtifacts(root, bundle) {

package/dist/io/toolingManifest.d.ts

@@ -0,0 +1,2 @@
+import type { ToolingManifest } from "../types/toolingManifest.js";
+export declare function buildToolingManifest(): Promise<ToolingManifest>;

package/dist/io/toolingManifest.js

@@ -0,0 +1,75 @@
+import { createHash } from "node:crypto";
+import { readdir, readFile, stat } from "node:fs/promises";
+import { dirname, join, relative, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+const PACKAGE_ROOT = resolve(dirname(fileURLToPath(import.meta.url)), "..", "..");
+const TOOLING_INPUTS = [
+    "audit-code.mjs",
+    "audit-code-wrapper-lib.mjs",
+    "package.json",
+    "dist",
+    "schemas",
+    "skills/audit-code",
+];
+async function pathExists(path) {
+    try {
+        await stat(path);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function collectFiles(path) {
+    const info = await stat(path);
+    if (info.isFile()) {
+        return [path];
+    }
+    if (!info.isDirectory()) {
+        return [];
+    }
+    const entries = await readdir(path, { withFileTypes: true });
+    const files = [];
+    for (const entry of entries.sort((a, b) => a.name.localeCompare(b.name))) {
+        files.push(...(await collectFiles(join(path, entry.name))));
+    }
+    return files;
+}
+async function readPackageVersion() {
+    const packageJsonPath = join(PACKAGE_ROOT, "package.json");
+    if (!(await pathExists(packageJsonPath))) {
+        return null;
+    }
+    try {
+        const packageJson = JSON.parse(await readFile(packageJsonPath, "utf8"));
+        return typeof packageJson.version === "string" ? packageJson.version : null;
+    }
+    catch {
+        return null;
+    }
+}
+export async function buildToolingManifest() {
+    const hash = createHash("sha256");
+    const existingInputs = [];
+    for (const input of TOOLING_INPUTS) {
+        const absolute = join(PACKAGE_ROOT, input);
+        if (!(await pathExists(absolute))) {
+            continue;
+        }
+        existingInputs.push(input);
+        const files = await collectFiles(absolute);
+        for (const file of files.sort((a, b) => a.localeCompare(b))) {
+            hash.update(relative(PACKAGE_ROOT, file).replace(/\\/g, "/"));
+            hash.update("\n");
+            hash.update(await readFile(file));
+            hash.update("\n");
+        }
+    }
+    return {
+        generated_at: new Date().toISOString(),
+        package_root: PACKAGE_ROOT,
+        package_version: await readPackageVersion(),
+        implementation_hash: hash.digest("hex"),
+        inputs: existingInputs,
+    };
+}

package/dist/orchestrator/advance.js

@@ -108,8 +108,12 @@ export async function advanceAudit(bundle, options = {}) {
     catch (error) {
         throw formatExecutorFailure(selectedExecutor, selectedObligation, error);
     }
-    const metadata = computeArtifactMetadata(run.updated, bundle.artifact_metadata);
-    const metadataBundle = { ...run.updated, artifact_metadata: metadata };
+    const metadata = computeArtifactMetadata(run.updated, bundle.artifact_metadata, [...run.artifacts_written, "tooling_manifest.json"]);
+    const metadataBundle = {
+        ...run.updated,
+        tooling_manifest: bundle.tooling_manifest,
+        artifact_metadata: metadata,
+    };
     const updatedState = deriveAuditState(metadataBundle);
     updatedState.last_executor = selectedExecutor;
     updatedState.last_obligation = selectedObligation ?? undefined;

package/dist/orchestrator/artifactMetadata.d.ts

@@ -1,4 +1,4 @@
 import type { ArtifactMetadataManifest } from "../types/artifactMetadata.js";
 import type { ArtifactBundle } from "../io/artifacts.js";
 export declare function present(bundle: ArtifactBundle, artifactName: string): boolean;
-export declare function computeArtifactMetadata(bundle: ArtifactBundle, previous?: ArtifactMetadataManifest): ArtifactMetadataManifest;
+export declare function computeArtifactMetadata(bundle: ArtifactBundle, previous?: ArtifactMetadataManifest, updatedArtifacts?: Iterable<string>): ArtifactMetadataManifest;

package/dist/orchestrator/artifactMetadata.js

@@ -28,6 +28,14 @@ function normalizeForMetadataHash(artifactName, value) {
         const { generated_at: _generatedAt, ...rest } = record;
         return rest;
     }
+    if (artifactName === "tooling_manifest.json" &&
+        value &&
+        typeof value === "object" &&
+        !Array.isArray(value)) {
+        const record = value;
+        const { generated_at: _generatedAt, ...rest } = record;
+        return rest;
+    }
     return value;
 }
 function buildReverseDependencyMap() {
@@ -72,8 +80,9 @@ export function present(bundle, artifactName) {
     const value = getArtifactValue(bundle, artifactName);
     return value !== undefined && value !== null;
 }
-export function computeArtifactMetadata(bundle, previous) {
+export function computeArtifactMetadata(bundle, previous, updatedArtifacts = []) {
     const artifacts = {};
+    const updated = new Set(updatedArtifacts);
     const presentArtifacts = Object.keys(REVERSE_DEPENDENCY_MAP).filter((artifactName) => artifactName !== "artifact_metadata.json" &&
         present(bundle, artifactName));
     const orderedArtifacts = computeDependencyFirstOrder(presentArtifacts);
@@ -83,8 +92,12 @@ export function computeArtifactMetadata(bundle, previous) {
         const value = getArtifactValue(bundle, artifactName);
         if (value === undefined || value === null)
             continue;
-        const contentHash = hashValue(normalizeForMetadataHash(artifactName, value));
         const previousEntry = previous?.artifacts[artifactName];
+        if (previousEntry && !updated.has(artifactName)) {
+            artifacts[artifactName] = previousEntry;
+            continue;
+        }
+        const contentHash = hashValue(normalizeForMetadataHash(artifactName, value));
         const dependencyRevisions = Object.fromEntries((REVERSE_DEPENDENCY_MAP[artifactName] ?? [])
             .filter((dependencyName) => dependencyName !== "artifact_metadata.json")
             .sort()

package/dist/orchestrator/dependencyMap.js

@@ -1,4 +1,7 @@
 export const ARTIFACT_DEPENDENCY_MAP = {
+    "tooling_manifest.json": [
+        "repo_manifest.json",
+    ],
     "repo_manifest.json": [
         "file_disposition.json",
         "unit_manifest.json",

package/dist/orchestrator/internalExecutors.js

@@ -174,6 +174,18 @@ export function runResultIngestionExecutor(bundle, results) {
     const flowCoverage = bundle.critical_flows
         ? buildFlowCoverage(bundle.critical_flows, updatedCoverageMatrix)
         : bundle.flow_coverage;
+    const runtimeCommand = bundle.runtime_validation_tasks?.tasks.find((task) => task.command && task.command.length > 0)?.command;
+    const runtimeValidationTasks = bundle.unit_manifest && flowCoverage
+        ? buildRuntimeValidationTasks({
+            unitManifest: bundle.unit_manifest,
+            criticalFlows: bundle.critical_flows,
+            flowCoverage,
+            command: runtimeCommand,
+        })
+        : bundle.runtime_validation_tasks;
+    const runtimeValidationReport = runtimeValidationTasks
+        ? mergeRuntimeValidationReport(runtimeValidationTasks, bundle.runtime_validation_report)
+        : bundle.runtime_validation_report;
     const requeuePayload = buildRequeuePayload(updatedCoverageMatrix, bundle.critical_flows, flowCoverage, bundle.external_analyzer_results);
     const mergedResults = [...(bundle.audit_results ?? []), ...results];
     const updatedAuditTasks = updateAuditTaskStatuses(bundle.audit_tasks, mergedResults);
@@ -182,6 +194,8 @@ export function runResultIngestionExecutor(bundle, results) {
             ...bundle,
             coverage_matrix: updatedCoverageMatrix,
             flow_coverage: flowCoverage,
+            runtime_validation_tasks: runtimeValidationTasks,
+            runtime_validation_report: runtimeValidationReport,
             audit_results: mergedResults,
             audit_tasks: updatedAuditTasks,
             requeue_tasks: requeuePayload.tasks,
@@ -190,6 +204,8 @@ export function runResultIngestionExecutor(bundle, results) {
         artifacts_written: [
             "coverage_matrix.json",
             "flow_coverage.json",
+            ...(runtimeValidationTasks ? ["runtime_validation_tasks.json"] : []),
+            ...(runtimeValidationReport ? ["runtime_validation_report.json"] : []),
             "audit_results.jsonl",
             "audit_tasks.json",
             "requeue_tasks.json",

package/dist/orchestrator/staleness.js

@@ -23,6 +23,14 @@ function normalizeForMetadataHash(artifactName, value) {
         const { generated_at: _generatedAt, ...rest } = record;
         return rest;
     }
+    if (artifactName === "tooling_manifest.json" &&
+        value &&
+        typeof value === "object" &&
+        !Array.isArray(value)) {
+        const record = value;
+        const { generated_at: _generatedAt, ...rest } = record;
+        return rest;
+    }
     return value;
 }
 function computeContentHash(artifactName, bundle) {
@@ -33,6 +41,18 @@ function computeContentHash(artifactName, bundle) {
         .update(stableStringify(normalizeForMetadataHash(artifactName, value)))
         .digest("hex");
 }
+function buildReverseDependencyMap() {
+    const reverse = {};
+    for (const [upstream, downstreamList] of Object.entries(ARTIFACT_DEPENDENCY_MAP)) {
+        reverse[upstream] ??= [];
+        for (const downstream of downstreamList) {
+            reverse[downstream] ??= [];
+            reverse[downstream].push(upstream);
+        }
+    }
+    return reverse;
+}
+const REVERSE_DEPENDENCY_MAP = buildReverseDependencyMap();
 export function computeStaleArtifacts(bundle) {
     const stale = new Set();
     const metadata = bundle.artifact_metadata;
@@ -40,6 +60,15 @@ export function computeStaleArtifacts(bundle) {
         for (const [artifactName, entry] of Object.entries(metadata.artifacts)) {
             if (!present(bundle, artifactName))
                 continue;
+            const expectedDependencies = [...(REVERSE_DEPENDENCY_MAP[artifactName] ?? [])]
+                .filter((dependencyName) => dependencyName !== "artifact_metadata.json")
+                .sort();
+            const recordedDependencies = Object.keys(entry.dependency_revisions).sort();
+            if (stableStringify(expectedDependencies) !==
+                stableStringify(recordedDependencies)) {
+                stale.add(artifactName);
+                continue;
+            }
             let isStale = false;
             for (const [dependencyName, recordedRevision] of Object.entries(entry.dependency_revisions)) {
                 if (!present(bundle, dependencyName)) {
@@ -51,7 +80,7 @@ export function computeStaleArtifacts(bundle) {
                 }
                 const dependencyEntry = metadata.artifacts[dependencyName];
                 if (!dependencyEntry) {
-                    if (recordedRevision > 0) {
+                    if (present(bundle, dependencyName) || recordedRevision > 0) {
                         isStale = true;
                         break;
                     }
@@ -70,6 +99,9 @@ export function computeStaleArtifacts(bundle) {
         }
     }
     for (const [upstream, downstreamList] of Object.entries(ARTIFACT_DEPENDENCY_MAP)) {
+        if (upstream === "tooling_manifest.json" && !present(bundle, upstream)) {
+            continue;
+        }
         if (!present(bundle, upstream)) {
             for (const downstream of downstreamList) {
                 const hasMetadataEntry = Boolean(metadata?.artifacts[downstream]);
@@ -79,5 +111,20 @@ export function computeStaleArtifacts(bundle) {
             }
         }
     }
+    let changed = true;
+    while (changed) {
+        changed = false;
+        for (const [upstream, downstreamList] of Object.entries(ARTIFACT_DEPENDENCY_MAP)) {
+            if (!stale.has(upstream)) {
+                continue;
+            }
+            for (const downstream of downstreamList) {
+                if (present(bundle, downstream) && !stale.has(downstream)) {
+                    stale.add(downstream);
+                    changed = true;
+                }
+            }
+        }
+    }
     return stale;
 }

package/dist/types/toolingManifest.d.ts

@@ -0,0 +1,7 @@
+export interface ToolingManifest {
+    generated_at: string;
+    package_root: string;
+    package_version: string | null;
+    implementation_hash: string;
+    inputs: string[];
+}

package/dist/types/toolingManifest.js

@@ -0,0 +1 @@
+export {};

package/dist/validation/artifacts.js

@@ -40,6 +40,9 @@ export function validateArtifactBundle(bundle) {
     if (bundle.external_analyzer_results) {
         issues.push(...requireKeys(bundle.external_analyzer_results, "external_analyzer_results", ["tool", "results"]));
     }
+    if (bundle.tooling_manifest) {
+        issues.push(...requireKeys(bundle.tooling_manifest, "tooling_manifest", ["generated_at", "package_root", "implementation_hash", "inputs"]));
+    }
     const repoManifestFiles = asArray(bundle.repo_manifest?.files);
     const fileDispositionEntries = asArray(bundle.file_disposition?.files);
     const unitManifestUnits = asArray(bundle.unit_manifest?.units);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auditor-lambda",
-  "version": "0.2.12",
+  "version": "0.2.13",
   "private": false,
   "description": "Portable hybrid code-auditing framework for arbitrary repositories.",
   "type": "module",

package/skills/audit-code/SKILL.md

@@ -46,6 +46,15 @@ audit-code
 
 from the target repository root.
 
+When developing inside the `auditor-lambda` repository itself, prefer:
+
+```bash
+node audit-code.mjs
+```
+
+That keeps the run pinned to the local wrapper and local `dist/` output instead
+of whichever global `audit-code` binary happens to be on `PATH`.
+
 Debug one-step mode:
 
 ```bash

package/skills/audit-code/audit-code.prompt.md

@@ -18,7 +18,7 @@ To move the state machine forward, execute the backend framework using your term
 audit-code
 ```
 
-_(If the wrapper is only available as a package dependency in the current repository, `npx audit-code` is equivalent. If developing locally against this repository, run `node audit-code.mjs`.)_
+_(If the wrapper is only available as a package dependency in the current repository, `npx audit-code` is equivalent. If you are developing inside the `auditor-lambda` repository itself, prefer `node audit-code.mjs` so the run uses the local wrapper and local `dist/` output instead of a potentially stale global install.)_
 
 ## Step 2: Handle Blockages (The "Thinking" Phase)