auditor-lambda 0.2.12 → 0.2.14

package/dist/cli.js

@@ -287,6 +287,13 @@ function buildPendingAuditTasks(bundle) {
     const completedTaskIds = new Set((bundle.audit_results ?? []).map((result) => result.task_id));
     return (bundle.audit_tasks ?? []).filter((task) => task.status !== "complete" && !completedTaskIds.has(task.task_id));
 }
+async function addFileLineCountHints(root, tasks) {
+    const lineIndex = await buildLineIndexForPaths(root, tasks.flatMap((task) => task.file_paths));
+    return tasks.map((task) => ({
+        ...task,
+        file_line_counts: Object.fromEntries(task.file_paths.map((path) => [path, lineIndex[path] ?? 0])),
+    }));
+}
 function formatAuditResultValidationError(issues) {
     return (`audit-results validation failed with ${issues.length} error(s):\n` +
         formatAuditResultIssues(issues));
@@ -400,7 +407,7 @@ async function ingestBatchAuditResults(options) {
     }
     const bundle = lastStep?.updated_bundle ??
         (await loadArtifactBundle(options.artifactsDir));
-    const state = lastStep?.audit_state ?? deriveAuditState(bundle);
+    const state = deriveAuditState(bundle);
     const decision = decideNextStep(bundle);
     return {
         batchFiles,
@@ -720,7 +727,7 @@ async function cmdRunToCompletion(argv) {
         if (preferredExecutor === "agent" && provider.name === LOCAL_SUBPROCESS_PROVIDER_NAME) {
             const blocker = buildManualReviewBlocker(provider.name);
             const blockedState = buildBlockedAuditState({
-                state: bundle.audit_state ?? decision.state,
+                state: decision.state,
                 obligationId,
                 executor: preferredExecutor,
                 blocker,
@@ -731,7 +738,7 @@ async function cmdRunToCompletion(argv) {
             });
             const blockRunId = buildRunId(obligationId, runCount + 1);
             const blockPaths = getRunPaths(artifactsDir, blockRunId);
-            const blockPendingTasks = buildPendingAuditTasks(bundle).slice(0, agentBatchSize);
+            const blockPendingTasks = await addFileLineCountHints(root, buildPendingAuditTasks(bundle).slice(0, agentBatchSize));
             const blockPendingTasksPath = join(blockPaths.runDir, "pending-audit-tasks.json");
             const blockAuditResultsPath = join(blockPaths.runDir, "audit-results.json");
             const blockTask = {
@@ -784,7 +791,7 @@ async function cmdRunToCompletion(argv) {
             return;
         }
         if (!preferredExecutor) {
-            const state = bundle.audit_state ?? decision.state;
+            const state = decision.state;
             await clearDispatchFiles(artifactsDir);
             await emitEnvelope({
                 root,
@@ -814,7 +821,8 @@ async function cmdRunToCompletion(argv) {
             const allPendingTasks = buildPendingAuditTasks(bundle);
             const taskGroups = chunkArray(allPendingTasks.slice(0, parallelWorkers * agentBatchSize), agentBatchSize);
             const workerSlots = [];
-            for (const group of taskGroups) {
+            for (const rawGroup of taskGroups) {
+                const group = await addFileLineCountHints(root, rawGroup);
                 runCount += 1;
                 const slotRunId = buildRunId(obligationId, runCount);
                 const slotPaths = getRunPaths(artifactsDir, slotRunId);
@@ -1131,7 +1139,7 @@ async function cmdRunToCompletion(argv) {
             continue;
         }
         const pendingAuditTasks = preferredExecutor === "agent"
-            ? buildPendingAuditTasks(bundle).slice(0, agentBatchSize)
+            ? await addFileLineCountHints(root, buildPendingAuditTasks(bundle).slice(0, agentBatchSize))
             : undefined;
         const pendingAuditTasksPath = preferredExecutor === "agent"
             ? join(paths.runDir, "pending-audit-tasks.json")
@@ -1251,12 +1259,12 @@ async function cmdRunToCompletion(argv) {
             const shouldBlock = workerResult.status === "failed" || workerResult.status === "blocked";
             const state = shouldBlock
                 ? buildBlockedAuditState({
-                    state: bundleAfter.audit_state ?? deriveAuditState(bundleAfter),
+                    state: deriveAuditState(bundleAfter),
                     obligationId: workerResult.obligation_id,
                     executor: workerResult.selected_executor,
                     blocker: buildWorkerFailureBlocker(workerResult),
                 })
-                : bundleAfter.audit_state ?? deriveAuditState(bundleAfter);
+                : deriveAuditState(bundleAfter);
             if (shouldBlock) {
                 await writeCoreArtifacts(artifactsDir, {
                     ...bundleAfter,
@@ -1285,7 +1293,7 @@ async function cmdRunToCompletion(argv) {
     }
     const bundle = await loadArtifactBundle(artifactsDir);
     const decision = decideNextStep(bundle);
-    const state = bundle.audit_state ?? decision.state;
+    const state = decision.state;
     if (state.status === "complete") {
         await clearDispatchFiles(artifactsDir);
     }

package/dist/extractors/disposition.js

@@ -1,4 +1,4 @@
-import { isNodeModulesOrGit, isBuildOutput, isVendorPath, isBinaryArtifact, isLicensePath, isLockfilePath, isLogPath, isDocPath, isGeneratedInstallArtifactPath, normalizeExtractorPath, } from "./pathPatterns.js";
+import { isNodeModulesOrGit, isBuildOutput, isVendorPath, isBinaryArtifact, isLicensePath, isLockfilePath, isLogPath, isDocPath, isAuditArtifactPath, isGeneratedInstallArtifactPath, normalizeExtractorPath, } from "./pathPatterns.js";
 function inferDisposition(path) {
     const normalized = normalizeExtractorPath(path);
     if (isNodeModulesOrGit(normalized)) {
@@ -26,6 +26,13 @@ function inferDisposition(path) {
     if (isLockfilePath(normalized)) {
         return { path, status: "generated", reason: "Lockfile excluded from code audit scope." };
     }
+    if (isAuditArtifactPath(normalized)) {
+        return {
+            path,
+            status: "generated",
+            reason: "Generated audit artifact.",
+        };
+    }
     if (isDocPath(normalized)) {
         return { path, status: "doc_only", reason: "Documentation artifact." };
     }

package/dist/extractors/flows.js

@@ -1,5 +1,5 @@
 import { isAuditExcludedStatus } from "./disposition.js";
-import { EXTRACTOR_HEURISTIC_NOTE, isAsyncTaskPath, isBillingPath, isIdentityPath, isSecuritySensitivePath, isDataLayerPath, isConcurrencyPath, isInterfacePath, isDeploymentConfigPath, normalizeExtractorPath, } from "./pathPatterns.js";
+import { EXTRACTOR_HEURISTIC_NOTE, isAsyncTaskPath, isBillingPath, isIdentityPath, isSecuritySensitivePath, isTestPath, isDataLayerPath, isConcurrencyPath, isInterfacePath, isDeploymentConfigPath, normalizeExtractorPath, } from "./pathPatterns.js";
 function inferConcerns(paths) {
     const concerns = new Set();
     for (const path of paths) {
@@ -15,6 +15,12 @@ function inferConcerns(paths) {
     }
     return concerns.size > 0 ? [...concerns] : ["correctness"];
 }
+function isSchemaContractPath(normalized) {
+    return normalized.endsWith(".schema.json");
+}
+function isSupportArtifactPath(normalized) {
+    return isTestPath(normalized) || normalized.startsWith("examples/");
+}
 function relatedPaths(entry, availablePaths) {
     const normalized = normalizeExtractorPath(entry);
     const linked = new Set([entry]);
@@ -82,7 +88,9 @@ export function buildCriticalFlowManifest(repoManifest, surfaceManifest, disposi
     }
     for (const path of availablePaths) {
         const normalized = normalizeExtractorPath(path);
-        if (isDataLayerPath(normalized)) {
+        if (isDataLayerPath(normalized) &&
+            !isSchemaContractPath(normalized) &&
+            !isSupportArtifactPath(normalized)) {
             flows.push({
                 id: `flow:data:${path.replace(/[^a-zA-Z0-9:_-]/g, "-")}`,
                 name: `data evolution flow for ${path}`,

package/dist/extractors/pathPatterns.d.ts

@@ -14,6 +14,7 @@ export declare function isLicensePath(normalized: string): boolean;
 export declare function isLockfilePath(normalized: string): boolean;
 export declare function isDocPath(normalized: string): boolean;
 export declare function isGeneratedInstallArtifactPath(normalized: string): boolean;
+export declare function isAuditArtifactPath(normalized: string): boolean;
 export declare function isTestPath(normalized: string): boolean;
 export declare function isInterfacePath(normalized: string): boolean;
 export declare function isDataLayerPath(normalized: string): boolean;

package/dist/extractors/pathPatterns.js

@@ -75,6 +75,13 @@ function baseName(normalized) {
     const segments = splitSegments(normalized);
     return segments.at(-1) ?? normalized;
 }
+function pathTokens(normalized) {
+    return normalized.split(/[^a-z0-9]+/).filter(Boolean);
+}
+function hasToken(normalized, values) {
+    const tokens = new Set(pathTokens(normalized));
+    return values.some((value) => tokens.has(value));
+}
 export function isNodeModulesOrGit(normalized) {
     return hasSegment(normalized, "node_modules") || hasSegment(normalized, ".git");
 }
@@ -103,6 +110,9 @@ export function isDocPath(normalized) {
 export function isGeneratedInstallArtifactPath(normalized) {
     return normalized.startsWith(".audit-code/install/");
 }
+export function isAuditArtifactPath(normalized) {
+    return splitSegments(normalized).some((segment) => segment.startsWith(".audit-artifacts"));
+}
 export function isTestPath(normalized) {
     return includesAny(normalized, TEST_KEYWORDS);
 }
@@ -110,7 +120,12 @@ export function isInterfacePath(normalized) {
     return includesAny(normalized, INTERFACE_KEYWORDS) || hasSegment(normalized, "api");
 }
 export function isDataLayerPath(normalized) {
-    return includesAny(normalized, DATA_LAYER_KEYWORDS) || hasSegment(normalized, "db");
+    return (hasToken(normalized, DATA_LAYER_KEYWORDS) ||
+        hasSegment(normalized, "models") ||
+        hasSegment(normalized, "schemas") ||
+        hasSegment(normalized, "migrations") ||
+        hasSegment(normalized, "seeds") ||
+        hasSegment(normalized, "db"));
 }
 export function isSecuritySensitivePath(normalized) {
     return includesAny(normalized, SECURITY_KEYWORDS);

package/dist/io/artifacts.d.ts

@@ -9,6 +9,7 @@ import type { GraphBundle } from "../types/graph.js";
 import type { RiskRegister } from "../types/risk.js";
 import type { RuntimeValidationReport, RuntimeValidationTaskManifest } from "../types/runtimeValidation.js";
 import type { SurfaceManifest } from "../types/surfaces.js";
+import type { ToolingManifest } from "../types/toolingManifest.js";
 type ArtifactPayloadMap = {
     repo_manifest: RepoManifest;
     file_disposition: FileDisposition;
@@ -29,6 +30,7 @@ type ArtifactPayloadMap = {
     audit_report: string;
     audit_state: AuditState;
     artifact_metadata: ArtifactMetadataManifest;
+    tooling_manifest: ToolingManifest;
 };
 /**
  * Audit artifacts accumulate phase-by-phase as the orchestrator advances.
@@ -63,6 +65,7 @@ export declare const ARTIFACT_DEFINITIONS: {
     readonly audit_report: ArtifactDefinition<"audit_report">;
     readonly audit_state: ArtifactDefinition<"audit_state">;
     readonly artifact_metadata: ArtifactDefinition<"artifact_metadata">;
+    readonly tooling_manifest: ArtifactDefinition<"tooling_manifest">;
 };
 export declare const ARTIFACT_FILE_TO_BUNDLE_KEY: Record<string, ArtifactBundleKey>;
 export declare function getArtifactValue(bundle: ArtifactBundle, artifactName: string): unknown;

package/dist/io/artifacts.js

@@ -1,6 +1,7 @@
 import { cp, rm, unlink } from "node:fs/promises";
 import { join } from "node:path";
 import { isFileMissingError, readOptionalJsonFile, readOptionalNdjsonFile, readOptionalTextFile, writeJsonFile, writeNdjsonFile, writeTextFile, } from "./json.js";
+import { buildToolingManifest } from "./toolingManifest.js";
 function jsonArtifact(fileName, phase) {
     return {
         fileName,
@@ -45,6 +46,7 @@ export const ARTIFACT_DEFINITIONS = {
     audit_report: textArtifact("audit-report.md", "reporting"),
     audit_state: jsonArtifact("audit_state.json", "supervisor"),
     artifact_metadata: jsonArtifact("artifact_metadata.json", "supervisor"),
+    tooling_manifest: jsonArtifact("tooling_manifest.json", "supervisor"),
 };
 const ARTIFACT_ENTRIES = Object.entries(ARTIFACT_DEFINITIONS);
 export const ARTIFACT_FILE_TO_BUNDLE_KEY = Object.fromEntries(ARTIFACT_ENTRIES.map(([key, definition]) => [definition.fileName, key]));
@@ -62,6 +64,7 @@ export async function loadArtifactBundle(root) {
             bundleRecord[key] = value;
         }
     }
+    bundle.tooling_manifest = await buildToolingManifest();
     return bundle;
 }
 export async function writeCoreArtifacts(root, bundle) {

package/dist/io/runArtifacts.js

@@ -5,10 +5,12 @@ import { writeJsonFile } from "./json.js";
 const moduleDir = dirname(fileURLToPath(import.meta.url));
 const packageRoot = resolve(moduleDir, "..", "..");
 const auditResultSchemaPath = join(packageRoot, "schemas", "audit_result.schema.json");
+const findingSchemaPath = join(packageRoot, "schemas", "finding.schema.json");
 const CURRENT_TASK_FILENAME = "current-task.json";
 const CURRENT_PROMPT_FILENAME = "current-prompt.md";
 const CURRENT_TASKS_FILENAME = "current-tasks.json";
 const CURRENT_SCHEMA_FILENAME = "audit-result.schema.json";
+const CURRENT_FINDING_SCHEMA_FILENAME = "finding.schema.json";
 function pad(value, size = 2) {
     return String(value).padStart(size, "0");
 }
@@ -53,6 +55,11 @@ export async function ensureSupervisorDirs(artifactsDir) {
     await mkdir(join(artifactsDir, "dispatch"), { recursive: true });
     await mkdir(join(artifactsDir, "runs"), { recursive: true });
 }
+async function writeDispatchSchemaFiles(artifactsDir) {
+    const dispatchDir = join(artifactsDir, "dispatch");
+    await writeFile(join(dispatchDir, CURRENT_SCHEMA_FILENAME), await readFile(auditResultSchemaPath, "utf8"), "utf8");
+    await writeFile(join(dispatchDir, CURRENT_FINDING_SCHEMA_FILENAME), await readFile(findingSchemaPath, "utf8"), "utf8");
+}
 export async function writeWorkerTaskFiles(task, prompt, paths, artifactsDir, currentTasks, options = {}) {
     await mkdir(paths.runDir, { recursive: true });
     await writeJsonFile(paths.taskPath, task);
@@ -62,13 +69,13 @@ export async function writeWorkerTaskFiles(task, prompt, paths, artifactsDir, cu
         status: "dispatched",
     });
     if (options.updateDispatch === false) {
-        await writeFile(join(artifactsDir, "dispatch", CURRENT_SCHEMA_FILENAME), await readFile(auditResultSchemaPath, "utf8"), "utf8");
+        await writeDispatchSchemaFiles(artifactsDir);
         return;
     }
     await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASK_FILENAME), task);
     await writeFile(join(artifactsDir, "dispatch", CURRENT_PROMPT_FILENAME), prompt, "utf8");
     await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASKS_FILENAME), currentTasks ?? []);
-    await writeFile(join(artifactsDir, "dispatch", CURRENT_SCHEMA_FILENAME), await readFile(auditResultSchemaPath, "utf8"), "utf8");
+    await writeDispatchSchemaFiles(artifactsDir);
 }
 export async function writeDispatchBatchFiles(artifactsDir, runs, currentTasks) {
     const summary = {
@@ -104,7 +111,7 @@ export async function writeDispatchBatchFiles(artifactsDir, runs, currentTasks)
     await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASK_FILENAME), summary);
     await writeFile(join(artifactsDir, "dispatch", CURRENT_PROMPT_FILENAME), promptLines.join("\n"), "utf8");
     await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASKS_FILENAME), currentTasks);
-    await writeFile(join(artifactsDir, "dispatch", CURRENT_SCHEMA_FILENAME), await readFile(auditResultSchemaPath, "utf8"), "utf8");
+    await writeDispatchSchemaFiles(artifactsDir);
 }
 export async function clearDispatchFiles(artifactsDir) {
     const targets = [
@@ -112,6 +119,7 @@ export async function clearDispatchFiles(artifactsDir) {
         CURRENT_PROMPT_FILENAME,
         CURRENT_TASKS_FILENAME,
         CURRENT_SCHEMA_FILENAME,
+        CURRENT_FINDING_SCHEMA_FILENAME,
     ];
     for (const name of targets) {
         await rm(join(artifactsDir, "dispatch", name), { force: true });

package/dist/io/toolingManifest.d.ts

@@ -0,0 +1,2 @@
+import type { ToolingManifest } from "../types/toolingManifest.js";
+export declare function buildToolingManifest(): Promise<ToolingManifest>;

package/dist/io/toolingManifest.js

@@ -0,0 +1,75 @@
+import { createHash } from "node:crypto";
+import { readdir, readFile, stat } from "node:fs/promises";
+import { dirname, join, relative, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+const PACKAGE_ROOT = resolve(dirname(fileURLToPath(import.meta.url)), "..", "..");
+const TOOLING_INPUTS = [
+    "audit-code.mjs",
+    "audit-code-wrapper-lib.mjs",
+    "package.json",
+    "dist",
+    "schemas",
+    "skills/audit-code",
+];
+async function pathExists(path) {
+    try {
+        await stat(path);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function collectFiles(path) {
+    const info = await stat(path);
+    if (info.isFile()) {
+        return [path];
+    }
+    if (!info.isDirectory()) {
+        return [];
+    }
+    const entries = await readdir(path, { withFileTypes: true });
+    const files = [];
+    for (const entry of entries.sort((a, b) => a.name.localeCompare(b.name))) {
+        files.push(...(await collectFiles(join(path, entry.name))));
+    }
+    return files;
+}
+async function readPackageVersion() {
+    const packageJsonPath = join(PACKAGE_ROOT, "package.json");
+    if (!(await pathExists(packageJsonPath))) {
+        return null;
+    }
+    try {
+        const packageJson = JSON.parse(await readFile(packageJsonPath, "utf8"));
+        return typeof packageJson.version === "string" ? packageJson.version : null;
+    }
+    catch {
+        return null;
+    }
+}
+export async function buildToolingManifest() {
+    const hash = createHash("sha256");
+    const existingInputs = [];
+    for (const input of TOOLING_INPUTS) {
+        const absolute = join(PACKAGE_ROOT, input);
+        if (!(await pathExists(absolute))) {
+            continue;
+        }
+        existingInputs.push(input);
+        const files = await collectFiles(absolute);
+        for (const file of files.sort((a, b) => a.localeCompare(b))) {
+            hash.update(relative(PACKAGE_ROOT, file).replace(/\\/g, "/"));
+            hash.update("\n");
+            hash.update(await readFile(file));
+            hash.update("\n");
+        }
+    }
+    return {
+        generated_at: new Date().toISOString(),
+        package_root: PACKAGE_ROOT,
+        package_version: await readPackageVersion(),
+        implementation_hash: hash.digest("hex"),
+        inputs: existingInputs,
+    };
+}

package/dist/orchestrator/advance.js

@@ -108,8 +108,12 @@ export async function advanceAudit(bundle, options = {}) {
     catch (error) {
         throw formatExecutorFailure(selectedExecutor, selectedObligation, error);
     }
-    const metadata = computeArtifactMetadata(run.updated, bundle.artifact_metadata);
-    const metadataBundle = { ...run.updated, artifact_metadata: metadata };
+    const metadata = computeArtifactMetadata(run.updated, bundle.artifact_metadata, [...run.artifacts_written, "tooling_manifest.json"]);
+    const metadataBundle = {
+        ...run.updated,
+        tooling_manifest: bundle.tooling_manifest,
+        artifact_metadata: metadata,
+    };
     const updatedState = deriveAuditState(metadataBundle);
     updatedState.last_executor = selectedExecutor;
     updatedState.last_obligation = selectedObligation ?? undefined;

package/dist/orchestrator/artifactMetadata.d.ts

@@ -1,4 +1,4 @@
 import type { ArtifactMetadataManifest } from "../types/artifactMetadata.js";
 import type { ArtifactBundle } from "../io/artifacts.js";
 export declare function present(bundle: ArtifactBundle, artifactName: string): boolean;
-export declare function computeArtifactMetadata(bundle: ArtifactBundle, previous?: ArtifactMetadataManifest): ArtifactMetadataManifest;
+export declare function computeArtifactMetadata(bundle: ArtifactBundle, previous?: ArtifactMetadataManifest, updatedArtifacts?: Iterable<string>): ArtifactMetadataManifest;

package/dist/orchestrator/artifactMetadata.js

@@ -28,6 +28,14 @@ function normalizeForMetadataHash(artifactName, value) {
         const { generated_at: _generatedAt, ...rest } = record;
         return rest;
     }
+    if (artifactName === "tooling_manifest.json" &&
+        value &&
+        typeof value === "object" &&
+        !Array.isArray(value)) {
+        const record = value;
+        const { generated_at: _generatedAt, ...rest } = record;
+        return rest;
+    }
     return value;
 }
 function buildReverseDependencyMap() {
@@ -72,8 +80,9 @@ export function present(bundle, artifactName) {
     const value = getArtifactValue(bundle, artifactName);
     return value !== undefined && value !== null;
 }
-export function computeArtifactMetadata(bundle, previous) {
+export function computeArtifactMetadata(bundle, previous, updatedArtifacts = []) {
     const artifacts = {};
+    const updated = new Set(updatedArtifacts);
     const presentArtifacts = Object.keys(REVERSE_DEPENDENCY_MAP).filter((artifactName) => artifactName !== "artifact_metadata.json" &&
         present(bundle, artifactName));
     const orderedArtifacts = computeDependencyFirstOrder(presentArtifacts);
@@ -83,8 +92,12 @@ export function computeArtifactMetadata(bundle, previous) {
         const value = getArtifactValue(bundle, artifactName);
         if (value === undefined || value === null)
             continue;
-        const contentHash = hashValue(normalizeForMetadataHash(artifactName, value));
         const previousEntry = previous?.artifacts[artifactName];
+        if (previousEntry && !updated.has(artifactName)) {
+            artifacts[artifactName] = previousEntry;
+            continue;
+        }
+        const contentHash = hashValue(normalizeForMetadataHash(artifactName, value));
         const dependencyRevisions = Object.fromEntries((REVERSE_DEPENDENCY_MAP[artifactName] ?? [])
             .filter((dependencyName) => dependencyName !== "artifact_metadata.json")
             .sort()

package/dist/orchestrator/dependencyMap.js

@@ -1,4 +1,7 @@
 export const ARTIFACT_DEPENDENCY_MAP = {
+    "tooling_manifest.json": [
+        "repo_manifest.json",
+    ],
     "repo_manifest.json": [
         "file_disposition.json",
         "unit_manifest.json",

package/dist/orchestrator/internalExecutors.js

@@ -174,6 +174,18 @@ export function runResultIngestionExecutor(bundle, results) {
     const flowCoverage = bundle.critical_flows
         ? buildFlowCoverage(bundle.critical_flows, updatedCoverageMatrix)
         : bundle.flow_coverage;
+    const runtimeCommand = bundle.runtime_validation_tasks?.tasks.find((task) => task.command && task.command.length > 0)?.command;
+    const runtimeValidationTasks = bundle.unit_manifest && flowCoverage
+        ? buildRuntimeValidationTasks({
+            unitManifest: bundle.unit_manifest,
+            criticalFlows: bundle.critical_flows,
+            flowCoverage,
+            command: runtimeCommand,
+        })
+        : bundle.runtime_validation_tasks;
+    const runtimeValidationReport = runtimeValidationTasks
+        ? mergeRuntimeValidationReport(runtimeValidationTasks, bundle.runtime_validation_report)
+        : bundle.runtime_validation_report;
     const requeuePayload = buildRequeuePayload(updatedCoverageMatrix, bundle.critical_flows, flowCoverage, bundle.external_analyzer_results);
     const mergedResults = [...(bundle.audit_results ?? []), ...results];
     const updatedAuditTasks = updateAuditTaskStatuses(bundle.audit_tasks, mergedResults);
@@ -182,6 +194,8 @@ export function runResultIngestionExecutor(bundle, results) {
             ...bundle,
             coverage_matrix: updatedCoverageMatrix,
             flow_coverage: flowCoverage,
+            runtime_validation_tasks: runtimeValidationTasks,
+            runtime_validation_report: runtimeValidationReport,
             audit_results: mergedResults,
             audit_tasks: updatedAuditTasks,
             requeue_tasks: requeuePayload.tasks,
@@ -190,6 +204,8 @@ export function runResultIngestionExecutor(bundle, results) {
         artifacts_written: [
             "coverage_matrix.json",
             "flow_coverage.json",
+            ...(runtimeValidationTasks ? ["runtime_validation_tasks.json"] : []),
+            ...(runtimeValidationReport ? ["runtime_validation_report.json"] : []),
             "audit_results.jsonl",
             "audit_tasks.json",
             "requeue_tasks.json",

package/dist/orchestrator/localCommands.js

@@ -1,6 +1,6 @@
 import { existsSync } from "node:fs";
 import { spawnSync } from "node:child_process";
-import { delimiter, isAbsolute, join } from "node:path";
+import { delimiter, extname, isAbsolute, join } from "node:path";
 function isWindowsBatchCommand(path) {
     return process.platform === "win32" && /\.(cmd|bat)$/i.test(path);
 }
@@ -45,10 +45,24 @@ function resolveFromPath(command) {
     const extensions = process.platform === "win32"
         ? (process.env.PATHEXT ?? ".COM;.EXE;.BAT;.CMD")
             .split(";")
-            .map((ext) => ext.toLowerCase())
+            .map((ext) => ext.trim().toLowerCase())
+            .filter((ext) => ext.length > 0)
+            .map((ext) => (ext.startsWith(".") ? ext : `.${ext}`))
         : [""];
     for (const dir of pathEntries) {
         const directPath = join(dir, command);
+        if (process.platform === "win32" && extname(command).length === 0) {
+            for (const ext of extensions) {
+                const candidatePath = join(dir, `${command}${ext}`);
+                if (existsSync(candidatePath)) {
+                    return candidatePath;
+                }
+            }
+            if (existsSync(directPath)) {
+                return directPath;
+            }
+            continue;
+        }
         if (existsSync(directPath)) {
             return directPath;
         }

package/dist/orchestrator/staleness.js

@@ -23,6 +23,14 @@ function normalizeForMetadataHash(artifactName, value) {
         const { generated_at: _generatedAt, ...rest } = record;
         return rest;
     }
+    if (artifactName === "tooling_manifest.json" &&
+        value &&
+        typeof value === "object" &&
+        !Array.isArray(value)) {
+        const record = value;
+        const { generated_at: _generatedAt, ...rest } = record;
+        return rest;
+    }
     return value;
 }
 function computeContentHash(artifactName, bundle) {
@@ -33,6 +41,18 @@ function computeContentHash(artifactName, bundle) {
         .update(stableStringify(normalizeForMetadataHash(artifactName, value)))
         .digest("hex");
 }
+function buildReverseDependencyMap() {
+    const reverse = {};
+    for (const [upstream, downstreamList] of Object.entries(ARTIFACT_DEPENDENCY_MAP)) {
+        reverse[upstream] ??= [];
+        for (const downstream of downstreamList) {
+            reverse[downstream] ??= [];
+            reverse[downstream].push(upstream);
+        }
+    }
+    return reverse;
+}
+const REVERSE_DEPENDENCY_MAP = buildReverseDependencyMap();
 export function computeStaleArtifacts(bundle) {
     const stale = new Set();
     const metadata = bundle.artifact_metadata;
@@ -40,6 +60,15 @@ export function computeStaleArtifacts(bundle) {
         for (const [artifactName, entry] of Object.entries(metadata.artifacts)) {
             if (!present(bundle, artifactName))
                 continue;
+            const expectedDependencies = [...(REVERSE_DEPENDENCY_MAP[artifactName] ?? [])]
+                .filter((dependencyName) => dependencyName !== "artifact_metadata.json")
+                .sort();
+            const recordedDependencies = Object.keys(entry.dependency_revisions).sort();
+            if (stableStringify(expectedDependencies) !==
+                stableStringify(recordedDependencies)) {
+                stale.add(artifactName);
+                continue;
+            }
             let isStale = false;
             for (const [dependencyName, recordedRevision] of Object.entries(entry.dependency_revisions)) {
                 if (!present(bundle, dependencyName)) {
@@ -51,7 +80,7 @@ export function computeStaleArtifacts(bundle) {
                 }
                 const dependencyEntry = metadata.artifacts[dependencyName];
                 if (!dependencyEntry) {
-                    if (recordedRevision > 0) {
+                    if (present(bundle, dependencyName) || recordedRevision > 0) {
                         isStale = true;
                         break;
                     }
@@ -70,6 +99,9 @@ export function computeStaleArtifacts(bundle) {
         }
     }
     for (const [upstream, downstreamList] of Object.entries(ARTIFACT_DEPENDENCY_MAP)) {
+        if (upstream === "tooling_manifest.json" && !present(bundle, upstream)) {
+            continue;
+        }
         if (!present(bundle, upstream)) {
             for (const downstream of downstreamList) {
                 const hasMetadataEntry = Boolean(metadata?.artifacts[downstream]);
@@ -79,5 +111,20 @@ export function computeStaleArtifacts(bundle) {
             }
         }
     }
+    let changed = true;
+    while (changed) {
+        changed = false;
+        for (const [upstream, downstreamList] of Object.entries(ARTIFACT_DEPENDENCY_MAP)) {
+            if (!stale.has(upstream)) {
+                continue;
+            }
+            for (const downstream of downstreamList) {
+                if (present(bundle, downstream) && !stale.has(downstream)) {
+                    stale.add(downstream);
+                    changed = true;
+                }
+            }
+        }
+    }
     return stale;
 }

package/dist/prompts/renderWorkerPrompt.js

@@ -8,7 +8,7 @@ export function renderWorkerPrompt(task) {
         const tasksPath = task.pending_audit_tasks_path ??
             `${task.artifacts_dir}/audit_tasks.json`;
         const lines = [
-            "You are executing one bounded audit task for audit-code.",
+            "You are executing one bounded audit run for audit-code.",
             `Run ID: ${task.run_id}`,
             `Repository root: ${task.repo_root}`,
             "",
@@ -23,6 +23,7 @@ export function renderWorkerPrompt(task) {
             "       task_id, unit_id, pass_id, lens",
             "       file_coverage: [{path, total_lines}] for every assigned file you reviewed",
             "       findings: array (empty if nothing found)",
+            "     If the task includes file_line_counts, use those values for file_coverage.total_lines.",
             "     total_lines must match the file's current total line count.",
             "     Each finding must include:",
             "       id, title, category, severity, confidence, lens, summary, affected_files,",
@@ -33,7 +34,7 @@ export function renderWorkerPrompt(task) {
             task.timeout_ms
                 ? `     Time budget for this task: ${task.timeout_ms} ms.`
                 : "     Keep the task bounded to the assigned files only.",
-            `Reference schema: ${task.artifacts_dir}/dispatch/audit-result.schema.json`,
+            `Reference schemas: ${task.artifacts_dir}/dispatch/audit-result.schema.json and ${task.artifacts_dir}/dispatch/finding.schema.json`,
             `Write the AuditResult[] JSON array to: ${task.audit_results_path}`,
         ];
         if (usesDeferredWorkerCommand(task)) {

package/dist/types/toolingManifest.d.ts

@@ -0,0 +1,7 @@
+export interface ToolingManifest {
+    generated_at: string;
+    package_root: string;
+    package_version: string | null;
+    implementation_hash: string;
+    inputs: string[];
+}

package/dist/types/toolingManifest.js

@@ -0,0 +1 @@
+export {};

package/dist/types.d.ts

@@ -53,6 +53,7 @@ export interface AuditTask {
     pass_id: string;
     lens: Lens;
     file_paths: string[];
+    file_line_counts?: Record<string, number>;
     line_ranges?: Array<{
         path: string;
         start: number;

package/dist/validation/artifacts.js

@@ -40,6 +40,9 @@ export function validateArtifactBundle(bundle) {
     if (bundle.external_analyzer_results) {
         issues.push(...requireKeys(bundle.external_analyzer_results, "external_analyzer_results", ["tool", "results"]));
     }
+    if (bundle.tooling_manifest) {
+        issues.push(...requireKeys(bundle.tooling_manifest, "tooling_manifest", ["generated_at", "package_root", "implementation_hash", "inputs"]));
+    }
     const repoManifestFiles = asArray(bundle.repo_manifest?.files);
     const fileDispositionEntries = asArray(bundle.file_disposition?.files);
     const unitManifestUnits = asArray(bundle.unit_manifest?.units);

package/dist/validation/auditResults.js

@@ -306,12 +306,12 @@ export function validateAuditResults(results, tasks, options = {}) {
                     });
                 }
                 if (Number.isInteger(entry.total_lines) &&
-                    Number(entry.total_lines) <= 0) {
+                    Number(entry.total_lines) < 0) {
                     pushIssue(issues, {
                         result_index: i,
                         task_id: taskId,
                         field: `file_coverage[${j}].total_lines`,
-                        message: "file_coverage total_lines must be greater than zero.",
+                        message: "file_coverage total_lines must be zero or greater.",
                     });
                 }
                 const expectedLineCount = typeof entry.path === "string"
@@ -330,7 +330,7 @@ export function validateAuditResults(results, tasks, options = {}) {
                 }
                 if (isNonEmptyString(entry.path) &&
                     Number.isInteger(entry.total_lines) &&
-                    Number(entry.total_lines) > 0) {
+                    Number(entry.total_lines) >= 0) {
                     normalizedFileCoverage.push({
                         path: entry.path,
                         total_lines: Number(entry.total_lines),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auditor-lambda",
-  "version": "0.2.12",
+  "version": "0.2.14",
   "private": false,
   "description": "Portable hybrid code-auditing framework for arbitrary repositories.",
   "type": "module",

package/schemas/audit_result.schema.json

@@ -33,7 +33,7 @@
         "required": ["path", "total_lines"],
         "properties": {
           "path": { "type": "string" },
-          "total_lines": { "type": "integer", "minimum": 1 }
+          "total_lines": { "type": "integer", "minimum": 0 }
         },
         "additionalProperties": false
       }

package/schemas/audit_task.schema.json

@@ -24,6 +24,13 @@
       "minItems": 1,
       "items": { "type": "string" }
     },
+    "file_line_counts": {
+      "type": "object",
+      "additionalProperties": {
+        "type": "integer",
+        "minimum": 0
+      }
+    },
     "line_ranges": {
       "type": "array",
       "items": {

package/skills/audit-code/SKILL.md

@@ -46,6 +46,15 @@ audit-code
 
 from the target repository root.
 
+When developing inside the `auditor-lambda` repository itself, prefer:
+
+```bash
+node audit-code.mjs
+```
+
+That keeps the run pinned to the local wrapper and local `dist/` output instead
+of whichever global `audit-code` binary happens to be on `PATH`.
+
 Debug one-step mode:
 
 ```bash

package/skills/audit-code/audit-code.prompt.md

@@ -18,7 +18,7 @@ To move the state machine forward, execute the backend framework using your term
 audit-code
 ```
 
-_(If the wrapper is only available as a package dependency in the current repository, `npx audit-code` is equivalent. If developing locally against this repository, run `node audit-code.mjs`.)_
+_(If the wrapper is only available as a package dependency in the current repository, `npx audit-code` is equivalent. If you are developing inside the `auditor-lambda` repository itself, prefer `node audit-code.mjs` so the run uses the local wrapper and local `dist/` output instead of a potentially stale global install.)_
 
 ## Step 2: Handle Blockages (The "Thinking" Phase)