auditor-lambda 0.2.13 → 0.2.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.js +11 -3
- package/dist/extractors/flows.js +10 -2
- package/dist/extractors/pathPatterns.js +13 -1
- package/dist/io/runArtifacts.js +11 -3
- package/dist/orchestrator/localCommands.js +16 -2
- package/dist/prompts/renderWorkerPrompt.js +3 -2
- package/dist/types.d.ts +1 -0
- package/dist/validation/auditResults.js +3 -3
- package/package.json +1 -1
- package/schemas/audit_result.schema.json +1 -1
- package/schemas/audit_task.schema.json +7 -0
package/dist/cli.js
CHANGED
|
@@ -287,6 +287,13 @@ function buildPendingAuditTasks(bundle) {
|
|
|
287
287
|
const completedTaskIds = new Set((bundle.audit_results ?? []).map((result) => result.task_id));
|
|
288
288
|
return (bundle.audit_tasks ?? []).filter((task) => task.status !== "complete" && !completedTaskIds.has(task.task_id));
|
|
289
289
|
}
|
|
290
|
+
async function addFileLineCountHints(root, tasks) {
|
|
291
|
+
const lineIndex = await buildLineIndexForPaths(root, tasks.flatMap((task) => task.file_paths));
|
|
292
|
+
return tasks.map((task) => ({
|
|
293
|
+
...task,
|
|
294
|
+
file_line_counts: Object.fromEntries(task.file_paths.map((path) => [path, lineIndex[path] ?? 0])),
|
|
295
|
+
}));
|
|
296
|
+
}
|
|
290
297
|
function formatAuditResultValidationError(issues) {
|
|
291
298
|
return (`audit-results validation failed with ${issues.length} error(s):\n` +
|
|
292
299
|
formatAuditResultIssues(issues));
|
|
@@ -731,7 +738,7 @@ async function cmdRunToCompletion(argv) {
|
|
|
731
738
|
});
|
|
732
739
|
const blockRunId = buildRunId(obligationId, runCount + 1);
|
|
733
740
|
const blockPaths = getRunPaths(artifactsDir, blockRunId);
|
|
734
|
-
const blockPendingTasks = buildPendingAuditTasks(bundle).slice(0, agentBatchSize);
|
|
741
|
+
const blockPendingTasks = await addFileLineCountHints(root, buildPendingAuditTasks(bundle).slice(0, agentBatchSize));
|
|
735
742
|
const blockPendingTasksPath = join(blockPaths.runDir, "pending-audit-tasks.json");
|
|
736
743
|
const blockAuditResultsPath = join(blockPaths.runDir, "audit-results.json");
|
|
737
744
|
const blockTask = {
|
|
@@ -814,7 +821,8 @@ async function cmdRunToCompletion(argv) {
|
|
|
814
821
|
const allPendingTasks = buildPendingAuditTasks(bundle);
|
|
815
822
|
const taskGroups = chunkArray(allPendingTasks.slice(0, parallelWorkers * agentBatchSize), agentBatchSize);
|
|
816
823
|
const workerSlots = [];
|
|
817
|
-
for (const
|
|
824
|
+
for (const rawGroup of taskGroups) {
|
|
825
|
+
const group = await addFileLineCountHints(root, rawGroup);
|
|
818
826
|
runCount += 1;
|
|
819
827
|
const slotRunId = buildRunId(obligationId, runCount);
|
|
820
828
|
const slotPaths = getRunPaths(artifactsDir, slotRunId);
|
|
@@ -1131,7 +1139,7 @@ async function cmdRunToCompletion(argv) {
|
|
|
1131
1139
|
continue;
|
|
1132
1140
|
}
|
|
1133
1141
|
const pendingAuditTasks = preferredExecutor === "agent"
|
|
1134
|
-
? buildPendingAuditTasks(bundle).slice(0, agentBatchSize)
|
|
1142
|
+
? await addFileLineCountHints(root, buildPendingAuditTasks(bundle).slice(0, agentBatchSize))
|
|
1135
1143
|
: undefined;
|
|
1136
1144
|
const pendingAuditTasksPath = preferredExecutor === "agent"
|
|
1137
1145
|
? join(paths.runDir, "pending-audit-tasks.json")
|
package/dist/extractors/flows.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { isAuditExcludedStatus } from "./disposition.js";
|
|
2
|
-
import { EXTRACTOR_HEURISTIC_NOTE, isAsyncTaskPath, isBillingPath, isIdentityPath, isSecuritySensitivePath, isDataLayerPath, isConcurrencyPath, isInterfacePath, isDeploymentConfigPath, normalizeExtractorPath, } from "./pathPatterns.js";
|
|
2
|
+
import { EXTRACTOR_HEURISTIC_NOTE, isAsyncTaskPath, isBillingPath, isIdentityPath, isSecuritySensitivePath, isTestPath, isDataLayerPath, isConcurrencyPath, isInterfacePath, isDeploymentConfigPath, normalizeExtractorPath, } from "./pathPatterns.js";
|
|
3
3
|
function inferConcerns(paths) {
|
|
4
4
|
const concerns = new Set();
|
|
5
5
|
for (const path of paths) {
|
|
@@ -15,6 +15,12 @@ function inferConcerns(paths) {
|
|
|
15
15
|
}
|
|
16
16
|
return concerns.size > 0 ? [...concerns] : ["correctness"];
|
|
17
17
|
}
|
|
18
|
+
function isSchemaContractPath(normalized) {
|
|
19
|
+
return normalized.endsWith(".schema.json");
|
|
20
|
+
}
|
|
21
|
+
function isSupportArtifactPath(normalized) {
|
|
22
|
+
return isTestPath(normalized) || normalized.startsWith("examples/");
|
|
23
|
+
}
|
|
18
24
|
function relatedPaths(entry, availablePaths) {
|
|
19
25
|
const normalized = normalizeExtractorPath(entry);
|
|
20
26
|
const linked = new Set([entry]);
|
|
@@ -82,7 +88,9 @@ export function buildCriticalFlowManifest(repoManifest, surfaceManifest, disposi
|
|
|
82
88
|
}
|
|
83
89
|
for (const path of availablePaths) {
|
|
84
90
|
const normalized = normalizeExtractorPath(path);
|
|
85
|
-
if (isDataLayerPath(normalized)
|
|
91
|
+
if (isDataLayerPath(normalized) &&
|
|
92
|
+
!isSchemaContractPath(normalized) &&
|
|
93
|
+
!isSupportArtifactPath(normalized)) {
|
|
86
94
|
flows.push({
|
|
87
95
|
id: `flow:data:${path.replace(/[^a-zA-Z0-9:_-]/g, "-")}`,
|
|
88
96
|
name: `data evolution flow for ${path}`,
|
|
@@ -75,6 +75,13 @@ function baseName(normalized) {
|
|
|
75
75
|
const segments = splitSegments(normalized);
|
|
76
76
|
return segments.at(-1) ?? normalized;
|
|
77
77
|
}
|
|
78
|
+
function pathTokens(normalized) {
|
|
79
|
+
return normalized.split(/[^a-z0-9]+/).filter(Boolean);
|
|
80
|
+
}
|
|
81
|
+
function hasToken(normalized, values) {
|
|
82
|
+
const tokens = new Set(pathTokens(normalized));
|
|
83
|
+
return values.some((value) => tokens.has(value));
|
|
84
|
+
}
|
|
78
85
|
export function isNodeModulesOrGit(normalized) {
|
|
79
86
|
return hasSegment(normalized, "node_modules") || hasSegment(normalized, ".git");
|
|
80
87
|
}
|
|
@@ -113,7 +120,12 @@ export function isInterfacePath(normalized) {
|
|
|
113
120
|
return includesAny(normalized, INTERFACE_KEYWORDS) || hasSegment(normalized, "api");
|
|
114
121
|
}
|
|
115
122
|
export function isDataLayerPath(normalized) {
|
|
116
|
-
return
|
|
123
|
+
return (hasToken(normalized, DATA_LAYER_KEYWORDS) ||
|
|
124
|
+
hasSegment(normalized, "models") ||
|
|
125
|
+
hasSegment(normalized, "schemas") ||
|
|
126
|
+
hasSegment(normalized, "migrations") ||
|
|
127
|
+
hasSegment(normalized, "seeds") ||
|
|
128
|
+
hasSegment(normalized, "db"));
|
|
117
129
|
}
|
|
118
130
|
export function isSecuritySensitivePath(normalized) {
|
|
119
131
|
return includesAny(normalized, SECURITY_KEYWORDS);
|
package/dist/io/runArtifacts.js
CHANGED
|
@@ -5,10 +5,12 @@ import { writeJsonFile } from "./json.js";
|
|
|
5
5
|
const moduleDir = dirname(fileURLToPath(import.meta.url));
|
|
6
6
|
const packageRoot = resolve(moduleDir, "..", "..");
|
|
7
7
|
const auditResultSchemaPath = join(packageRoot, "schemas", "audit_result.schema.json");
|
|
8
|
+
const findingSchemaPath = join(packageRoot, "schemas", "finding.schema.json");
|
|
8
9
|
const CURRENT_TASK_FILENAME = "current-task.json";
|
|
9
10
|
const CURRENT_PROMPT_FILENAME = "current-prompt.md";
|
|
10
11
|
const CURRENT_TASKS_FILENAME = "current-tasks.json";
|
|
11
12
|
const CURRENT_SCHEMA_FILENAME = "audit-result.schema.json";
|
|
13
|
+
const CURRENT_FINDING_SCHEMA_FILENAME = "finding.schema.json";
|
|
12
14
|
function pad(value, size = 2) {
|
|
13
15
|
return String(value).padStart(size, "0");
|
|
14
16
|
}
|
|
@@ -53,6 +55,11 @@ export async function ensureSupervisorDirs(artifactsDir) {
|
|
|
53
55
|
await mkdir(join(artifactsDir, "dispatch"), { recursive: true });
|
|
54
56
|
await mkdir(join(artifactsDir, "runs"), { recursive: true });
|
|
55
57
|
}
|
|
58
|
+
async function writeDispatchSchemaFiles(artifactsDir) {
|
|
59
|
+
const dispatchDir = join(artifactsDir, "dispatch");
|
|
60
|
+
await writeFile(join(dispatchDir, CURRENT_SCHEMA_FILENAME), await readFile(auditResultSchemaPath, "utf8"), "utf8");
|
|
61
|
+
await writeFile(join(dispatchDir, CURRENT_FINDING_SCHEMA_FILENAME), await readFile(findingSchemaPath, "utf8"), "utf8");
|
|
62
|
+
}
|
|
56
63
|
export async function writeWorkerTaskFiles(task, prompt, paths, artifactsDir, currentTasks, options = {}) {
|
|
57
64
|
await mkdir(paths.runDir, { recursive: true });
|
|
58
65
|
await writeJsonFile(paths.taskPath, task);
|
|
@@ -62,13 +69,13 @@ export async function writeWorkerTaskFiles(task, prompt, paths, artifactsDir, cu
|
|
|
62
69
|
status: "dispatched",
|
|
63
70
|
});
|
|
64
71
|
if (options.updateDispatch === false) {
|
|
65
|
-
await
|
|
72
|
+
await writeDispatchSchemaFiles(artifactsDir);
|
|
66
73
|
return;
|
|
67
74
|
}
|
|
68
75
|
await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASK_FILENAME), task);
|
|
69
76
|
await writeFile(join(artifactsDir, "dispatch", CURRENT_PROMPT_FILENAME), prompt, "utf8");
|
|
70
77
|
await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASKS_FILENAME), currentTasks ?? []);
|
|
71
|
-
await
|
|
78
|
+
await writeDispatchSchemaFiles(artifactsDir);
|
|
72
79
|
}
|
|
73
80
|
export async function writeDispatchBatchFiles(artifactsDir, runs, currentTasks) {
|
|
74
81
|
const summary = {
|
|
@@ -104,7 +111,7 @@ export async function writeDispatchBatchFiles(artifactsDir, runs, currentTasks)
|
|
|
104
111
|
await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASK_FILENAME), summary);
|
|
105
112
|
await writeFile(join(artifactsDir, "dispatch", CURRENT_PROMPT_FILENAME), promptLines.join("\n"), "utf8");
|
|
106
113
|
await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASKS_FILENAME), currentTasks);
|
|
107
|
-
await
|
|
114
|
+
await writeDispatchSchemaFiles(artifactsDir);
|
|
108
115
|
}
|
|
109
116
|
export async function clearDispatchFiles(artifactsDir) {
|
|
110
117
|
const targets = [
|
|
@@ -112,6 +119,7 @@ export async function clearDispatchFiles(artifactsDir) {
|
|
|
112
119
|
CURRENT_PROMPT_FILENAME,
|
|
113
120
|
CURRENT_TASKS_FILENAME,
|
|
114
121
|
CURRENT_SCHEMA_FILENAME,
|
|
122
|
+
CURRENT_FINDING_SCHEMA_FILENAME,
|
|
115
123
|
];
|
|
116
124
|
for (const name of targets) {
|
|
117
125
|
await rm(join(artifactsDir, "dispatch", name), { force: true });
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { existsSync } from "node:fs";
|
|
2
2
|
import { spawnSync } from "node:child_process";
|
|
3
|
-
import { delimiter, isAbsolute, join } from "node:path";
|
|
3
|
+
import { delimiter, extname, isAbsolute, join } from "node:path";
|
|
4
4
|
function isWindowsBatchCommand(path) {
|
|
5
5
|
return process.platform === "win32" && /\.(cmd|bat)$/i.test(path);
|
|
6
6
|
}
|
|
@@ -45,10 +45,24 @@ function resolveFromPath(command) {
|
|
|
45
45
|
const extensions = process.platform === "win32"
|
|
46
46
|
? (process.env.PATHEXT ?? ".COM;.EXE;.BAT;.CMD")
|
|
47
47
|
.split(";")
|
|
48
|
-
.map((ext) => ext.toLowerCase())
|
|
48
|
+
.map((ext) => ext.trim().toLowerCase())
|
|
49
|
+
.filter((ext) => ext.length > 0)
|
|
50
|
+
.map((ext) => (ext.startsWith(".") ? ext : `.${ext}`))
|
|
49
51
|
: [""];
|
|
50
52
|
for (const dir of pathEntries) {
|
|
51
53
|
const directPath = join(dir, command);
|
|
54
|
+
if (process.platform === "win32" && extname(command).length === 0) {
|
|
55
|
+
for (const ext of extensions) {
|
|
56
|
+
const candidatePath = join(dir, `${command}${ext}`);
|
|
57
|
+
if (existsSync(candidatePath)) {
|
|
58
|
+
return candidatePath;
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
if (existsSync(directPath)) {
|
|
62
|
+
return directPath;
|
|
63
|
+
}
|
|
64
|
+
continue;
|
|
65
|
+
}
|
|
52
66
|
if (existsSync(directPath)) {
|
|
53
67
|
return directPath;
|
|
54
68
|
}
|
|
@@ -8,7 +8,7 @@ export function renderWorkerPrompt(task) {
|
|
|
8
8
|
const tasksPath = task.pending_audit_tasks_path ??
|
|
9
9
|
`${task.artifacts_dir}/audit_tasks.json`;
|
|
10
10
|
const lines = [
|
|
11
|
-
"You are executing one bounded audit
|
|
11
|
+
"You are executing one bounded audit run for audit-code.",
|
|
12
12
|
`Run ID: ${task.run_id}`,
|
|
13
13
|
`Repository root: ${task.repo_root}`,
|
|
14
14
|
"",
|
|
@@ -23,6 +23,7 @@ export function renderWorkerPrompt(task) {
|
|
|
23
23
|
" task_id, unit_id, pass_id, lens",
|
|
24
24
|
" file_coverage: [{path, total_lines}] for every assigned file you reviewed",
|
|
25
25
|
" findings: array (empty if nothing found)",
|
|
26
|
+
" If the task includes file_line_counts, use those values for file_coverage.total_lines.",
|
|
26
27
|
" total_lines must match the file's current total line count.",
|
|
27
28
|
" Each finding must include:",
|
|
28
29
|
" id, title, category, severity, confidence, lens, summary, affected_files,",
|
|
@@ -33,7 +34,7 @@ export function renderWorkerPrompt(task) {
|
|
|
33
34
|
task.timeout_ms
|
|
34
35
|
? ` Time budget for this task: ${task.timeout_ms} ms.`
|
|
35
36
|
: " Keep the task bounded to the assigned files only.",
|
|
36
|
-
`Reference
|
|
37
|
+
`Reference schemas: ${task.artifacts_dir}/dispatch/audit-result.schema.json and ${task.artifacts_dir}/dispatch/finding.schema.json`,
|
|
37
38
|
`Write the AuditResult[] JSON array to: ${task.audit_results_path}`,
|
|
38
39
|
];
|
|
39
40
|
if (usesDeferredWorkerCommand(task)) {
|
package/dist/types.d.ts
CHANGED
|
@@ -306,12 +306,12 @@ export function validateAuditResults(results, tasks, options = {}) {
|
|
|
306
306
|
});
|
|
307
307
|
}
|
|
308
308
|
if (Number.isInteger(entry.total_lines) &&
|
|
309
|
-
Number(entry.total_lines)
|
|
309
|
+
Number(entry.total_lines) < 0) {
|
|
310
310
|
pushIssue(issues, {
|
|
311
311
|
result_index: i,
|
|
312
312
|
task_id: taskId,
|
|
313
313
|
field: `file_coverage[${j}].total_lines`,
|
|
314
|
-
message: "file_coverage total_lines must be
|
|
314
|
+
message: "file_coverage total_lines must be zero or greater.",
|
|
315
315
|
});
|
|
316
316
|
}
|
|
317
317
|
const expectedLineCount = typeof entry.path === "string"
|
|
@@ -330,7 +330,7 @@ export function validateAuditResults(results, tasks, options = {}) {
|
|
|
330
330
|
}
|
|
331
331
|
if (isNonEmptyString(entry.path) &&
|
|
332
332
|
Number.isInteger(entry.total_lines) &&
|
|
333
|
-
Number(entry.total_lines)
|
|
333
|
+
Number(entry.total_lines) >= 0) {
|
|
334
334
|
normalizedFileCoverage.push({
|
|
335
335
|
path: entry.path,
|
|
336
336
|
total_lines: Number(entry.total_lines),
|
package/package.json
CHANGED