auditor-lambda 0.2.13 → 0.2.15

package/dist/cli.js

@@ -287,6 +287,13 @@ function buildPendingAuditTasks(bundle) {
     const completedTaskIds = new Set((bundle.audit_results ?? []).map((result) => result.task_id));
     return (bundle.audit_tasks ?? []).filter((task) => task.status !== "complete" && !completedTaskIds.has(task.task_id));
 }
+async function addFileLineCountHints(root, tasks) {
+    const lineIndex = await buildLineIndexForPaths(root, tasks.flatMap((task) => task.file_paths));
+    return tasks.map((task) => ({
+        ...task,
+        file_line_counts: Object.fromEntries(task.file_paths.map((path) => [path, lineIndex[path] ?? 0])),
+    }));
+}
 function formatAuditResultValidationError(issues) {
     return (`audit-results validation failed with ${issues.length} error(s):\n` +
         formatAuditResultIssues(issues));
@@ -731,7 +738,7 @@ async function cmdRunToCompletion(argv) {
             });
             const blockRunId = buildRunId(obligationId, runCount + 1);
             const blockPaths = getRunPaths(artifactsDir, blockRunId);
-            const blockPendingTasks = buildPendingAuditTasks(bundle).slice(0, agentBatchSize);
+            const blockPendingTasks = await addFileLineCountHints(root, buildPendingAuditTasks(bundle).slice(0, agentBatchSize));
             const blockPendingTasksPath = join(blockPaths.runDir, "pending-audit-tasks.json");
             const blockAuditResultsPath = join(blockPaths.runDir, "audit-results.json");
             const blockTask = {
@@ -814,7 +821,8 @@ async function cmdRunToCompletion(argv) {
             const allPendingTasks = buildPendingAuditTasks(bundle);
             const taskGroups = chunkArray(allPendingTasks.slice(0, parallelWorkers * agentBatchSize), agentBatchSize);
             const workerSlots = [];
-            for (const group of taskGroups) {
+            for (const rawGroup of taskGroups) {
+                const group = await addFileLineCountHints(root, rawGroup);
                 runCount += 1;
                 const slotRunId = buildRunId(obligationId, runCount);
                 const slotPaths = getRunPaths(artifactsDir, slotRunId);
@@ -1131,7 +1139,7 @@ async function cmdRunToCompletion(argv) {
             continue;
         }
         const pendingAuditTasks = preferredExecutor === "agent"
-            ? buildPendingAuditTasks(bundle).slice(0, agentBatchSize)
+            ? await addFileLineCountHints(root, buildPendingAuditTasks(bundle).slice(0, agentBatchSize))
             : undefined;
         const pendingAuditTasksPath = preferredExecutor === "agent"
             ? join(paths.runDir, "pending-audit-tasks.json")

package/dist/extractors/disposition.js

@@ -1,4 +1,4 @@
-import { isNodeModulesOrGit, isBuildOutput, isVendorPath, isBinaryArtifact, isLicensePath, isLockfilePath, isLogPath, isDocPath, isAuditArtifactPath, isGeneratedInstallArtifactPath, normalizeExtractorPath, } from "./pathPatterns.js";
+import { isNodeModulesOrGit, isBuildOutput, isVendorPath, isBinaryArtifact, isLicensePath, isLockfilePath, isLogPath, isDocPath, isAuditArtifactPath, isGeneratedInstallArtifactPath, isExamplesOrFixturesPath, normalizeExtractorPath, } from "./pathPatterns.js";
 function inferDisposition(path) {
     const normalized = normalizeExtractorPath(path);
     if (isNodeModulesOrGit(normalized)) {
@@ -43,6 +43,9 @@ function inferDisposition(path) {
             reason: "Generated install/bootstrap artifact.",
         };
     }
+    if (isExamplesOrFixturesPath(normalized)) {
+        return { path, status: "doc_only", reason: "Examples and fixtures are support artifacts, not auditable code." };
+    }
     return {
         path,
         status: "included",

package/dist/extractors/flows.js

@@ -1,5 +1,5 @@
 import { isAuditExcludedStatus } from "./disposition.js";
-import { EXTRACTOR_HEURISTIC_NOTE, isAsyncTaskPath, isBillingPath, isIdentityPath, isSecuritySensitivePath, isDataLayerPath, isConcurrencyPath, isInterfacePath, isDeploymentConfigPath, normalizeExtractorPath, } from "./pathPatterns.js";
+import { EXTRACTOR_HEURISTIC_NOTE, isAsyncTaskPath, isBillingPath, isIdentityPath, isSecuritySensitivePath, isTestPath, isDataLayerPath, isConcurrencyPath, isInterfacePath, isDeploymentConfigPath, normalizeExtractorPath, } from "./pathPatterns.js";
 function inferConcerns(paths) {
     const concerns = new Set();
     for (const path of paths) {
@@ -15,6 +15,12 @@ function inferConcerns(paths) {
     }
     return concerns.size > 0 ? [...concerns] : ["correctness"];
 }
+function isSchemaContractPath(normalized) {
+    return normalized.endsWith(".schema.json");
+}
+function isSupportArtifactPath(normalized) {
+    return isTestPath(normalized) || normalized.startsWith("examples/");
+}
 function relatedPaths(entry, availablePaths) {
     const normalized = normalizeExtractorPath(entry);
     const linked = new Set([entry]);
@@ -82,7 +88,9 @@ export function buildCriticalFlowManifest(repoManifest, surfaceManifest, disposi
     }
     for (const path of availablePaths) {
         const normalized = normalizeExtractorPath(path);
-        if (isDataLayerPath(normalized)) {
+        if (isDataLayerPath(normalized) &&
+            !isSchemaContractPath(normalized) &&
+            !isSupportArtifactPath(normalized)) {
             flows.push({
                 id: `flow:data:${path.replace(/[^a-zA-Z0-9:_-]/g, "-")}`,
                 name: `data evolution flow for ${path}`,

package/dist/extractors/pathPatterns.d.ts

@@ -5,6 +5,7 @@
  */
 export declare const EXTRACTOR_HEURISTIC_NOTE = "Heuristic path classification normalizes case and path separators, then matches conservative keyword groups; confirm unusual repo layouts manually.";
 export declare function normalizeExtractorPath(path: string): string;
+export declare function pathTokens(normalized: string): string[];
 export declare function isNodeModulesOrGit(normalized: string): boolean;
 export declare function isBuildOutput(normalized: string): boolean;
 export declare function isVendorPath(normalized: string): boolean;
@@ -20,6 +21,7 @@ export declare function isInterfacePath(normalized: string): boolean;
 export declare function isDataLayerPath(normalized: string): boolean;
 export declare function isSecuritySensitivePath(normalized: string): boolean;
 export declare function isConcurrencyPath(normalized: string): boolean;
+export declare function isExamplesOrFixturesPath(normalized: string): boolean;
 export declare function isScriptPath(normalized: string): boolean;
 export declare function isDeploymentConfigPath(normalized: string): boolean;
 export declare function isGeneratedPath(normalized: string): boolean;

package/dist/extractors/pathPatterns.js

@@ -32,11 +32,17 @@ const SECURITY_KEYWORDS = [
 ];
 const CONCURRENCY_KEYWORDS = [
     "queue",
+    "queues",
     "worker",
+    "workers",
     "job",
+    "jobs",
     "cache",
+    "caches",
     "retry",
+    "retries",
     "lock",
+    "locks",
 ];
 const SCRIPT_KEYWORDS = ["script"];
 const DEPLOYMENT_KEYWORDS = [
@@ -75,6 +81,13 @@ function baseName(normalized) {
     const segments = splitSegments(normalized);
     return segments.at(-1) ?? normalized;
 }
+export function pathTokens(normalized) {
+    return normalized.split(/[^a-z0-9]+/).filter(Boolean);
+}
+function hasToken(normalized, values) {
+    const tokens = new Set(pathTokens(normalized));
+    return values.some((value) => tokens.has(value));
+}
 export function isNodeModulesOrGit(normalized) {
     return hasSegment(normalized, "node_modules") || hasSegment(normalized, ".git");
 }
@@ -113,13 +126,21 @@ export function isInterfacePath(normalized) {
     return includesAny(normalized, INTERFACE_KEYWORDS) || hasSegment(normalized, "api");
 }
 export function isDataLayerPath(normalized) {
-    return includesAny(normalized, DATA_LAYER_KEYWORDS) || hasSegment(normalized, "db");
+    return (hasToken(normalized, DATA_LAYER_KEYWORDS) ||
+        hasSegment(normalized, "models") ||
+        hasSegment(normalized, "schemas") ||
+        hasSegment(normalized, "migrations") ||
+        hasSegment(normalized, "seeds") ||
+        hasSegment(normalized, "db"));
 }
 export function isSecuritySensitivePath(normalized) {
     return includesAny(normalized, SECURITY_KEYWORDS);
 }
 export function isConcurrencyPath(normalized) {
-    return includesAny(normalized, CONCURRENCY_KEYWORDS);
+    return hasToken(normalized, CONCURRENCY_KEYWORDS);
+}
+export function isExamplesOrFixturesPath(normalized) {
+    return hasSegment(normalized, "examples") || hasSegment(normalized, "fixtures");
 }
 export function isScriptPath(normalized) {
     return (includesAny(normalized, SCRIPT_KEYWORDS) ||

package/dist/io/runArtifacts.js

@@ -5,10 +5,12 @@ import { writeJsonFile } from "./json.js";
 const moduleDir = dirname(fileURLToPath(import.meta.url));
 const packageRoot = resolve(moduleDir, "..", "..");
 const auditResultSchemaPath = join(packageRoot, "schemas", "audit_result.schema.json");
+const findingSchemaPath = join(packageRoot, "schemas", "finding.schema.json");
 const CURRENT_TASK_FILENAME = "current-task.json";
 const CURRENT_PROMPT_FILENAME = "current-prompt.md";
 const CURRENT_TASKS_FILENAME = "current-tasks.json";
 const CURRENT_SCHEMA_FILENAME = "audit-result.schema.json";
+const CURRENT_FINDING_SCHEMA_FILENAME = "finding.schema.json";
 function pad(value, size = 2) {
     return String(value).padStart(size, "0");
 }
@@ -53,6 +55,11 @@ export async function ensureSupervisorDirs(artifactsDir) {
     await mkdir(join(artifactsDir, "dispatch"), { recursive: true });
     await mkdir(join(artifactsDir, "runs"), { recursive: true });
 }
+async function writeDispatchSchemaFiles(artifactsDir) {
+    const dispatchDir = join(artifactsDir, "dispatch");
+    await writeFile(join(dispatchDir, CURRENT_SCHEMA_FILENAME), await readFile(auditResultSchemaPath, "utf8"), "utf8");
+    await writeFile(join(dispatchDir, CURRENT_FINDING_SCHEMA_FILENAME), await readFile(findingSchemaPath, "utf8"), "utf8");
+}
 export async function writeWorkerTaskFiles(task, prompt, paths, artifactsDir, currentTasks, options = {}) {
     await mkdir(paths.runDir, { recursive: true });
     await writeJsonFile(paths.taskPath, task);
@@ -62,13 +69,13 @@ export async function writeWorkerTaskFiles(task, prompt, paths, artifactsDir, cu
         status: "dispatched",
     });
     if (options.updateDispatch === false) {
-        await writeFile(join(artifactsDir, "dispatch", CURRENT_SCHEMA_FILENAME), await readFile(auditResultSchemaPath, "utf8"), "utf8");
+        await writeDispatchSchemaFiles(artifactsDir);
         return;
     }
     await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASK_FILENAME), task);
     await writeFile(join(artifactsDir, "dispatch", CURRENT_PROMPT_FILENAME), prompt, "utf8");
     await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASKS_FILENAME), currentTasks ?? []);
-    await writeFile(join(artifactsDir, "dispatch", CURRENT_SCHEMA_FILENAME), await readFile(auditResultSchemaPath, "utf8"), "utf8");
+    await writeDispatchSchemaFiles(artifactsDir);
 }
 export async function writeDispatchBatchFiles(artifactsDir, runs, currentTasks) {
     const summary = {
@@ -104,7 +111,7 @@ export async function writeDispatchBatchFiles(artifactsDir, runs, currentTasks)
     await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASK_FILENAME), summary);
     await writeFile(join(artifactsDir, "dispatch", CURRENT_PROMPT_FILENAME), promptLines.join("\n"), "utf8");
     await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASKS_FILENAME), currentTasks);
-    await writeFile(join(artifactsDir, "dispatch", CURRENT_SCHEMA_FILENAME), await readFile(auditResultSchemaPath, "utf8"), "utf8");
+    await writeDispatchSchemaFiles(artifactsDir);
 }
 export async function clearDispatchFiles(artifactsDir) {
     const targets = [
@@ -112,6 +119,7 @@ export async function clearDispatchFiles(artifactsDir) {
         CURRENT_PROMPT_FILENAME,
         CURRENT_TASKS_FILENAME,
         CURRENT_SCHEMA_FILENAME,
+        CURRENT_FINDING_SCHEMA_FILENAME,
     ];
     for (const name of targets) {
         await rm(join(artifactsDir, "dispatch", name), { force: true });

package/dist/orchestrator/localCommands.js

@@ -1,6 +1,6 @@
 import { existsSync } from "node:fs";
 import { spawnSync } from "node:child_process";
-import { delimiter, isAbsolute, join } from "node:path";
+import { delimiter, extname, isAbsolute, join } from "node:path";
 function isWindowsBatchCommand(path) {
     return process.platform === "win32" && /\.(cmd|bat)$/i.test(path);
 }
@@ -45,10 +45,24 @@ function resolveFromPath(command) {
     const extensions = process.platform === "win32"
         ? (process.env.PATHEXT ?? ".COM;.EXE;.BAT;.CMD")
             .split(";")
-            .map((ext) => ext.toLowerCase())
+            .map((ext) => ext.trim().toLowerCase())
+            .filter((ext) => ext.length > 0)
+            .map((ext) => (ext.startsWith(".") ? ext : `.${ext}`))
         : [""];
     for (const dir of pathEntries) {
         const directPath = join(dir, command);
+        if (process.platform === "win32" && extname(command).length === 0) {
+            for (const ext of extensions) {
+                const candidatePath = join(dir, `${command}${ext}`);
+                if (existsSync(candidatePath)) {
+                    return candidatePath;
+                }
+            }
+            if (existsSync(directPath)) {
+                return directPath;
+            }
+            continue;
+        }
         if (existsSync(directPath)) {
             return directPath;
         }

package/dist/orchestrator/unitBuilder.js

@@ -1,5 +1,6 @@
 import { bucketFile } from "../extractors/bucketing.js";
 import { isAuditExcludedStatus } from "../extractors/disposition.js";
+import { pathTokens, normalizeExtractorPath } from "../extractors/pathPatterns.js";
 const LENS_MAP = {
     runtime: ["correctness", "maintainability", "tests"],
     interface: ["correctness", "security", "reliability", "tests"],
@@ -50,13 +51,20 @@ function inferUnitId(path, kind) {
     if ((parts[0] === "tests" || parts[0] === "test") && parts.length >= 2) {
         return `tests-${parts[1]}`.replace(/[^a-zA-Z0-9_-]/g, "-");
     }
-    if (parts.length >= 2) {
+    if (parts.length >= 3) {
         return `${parts[0]}-${parts[1]}`.replace(/[^a-zA-Z0-9_-]/g, "-");
     }
-    if (normalized.includes("docker") ||
+    if (parts.length === 2) {
+        return parts[0].replace(/[^a-zA-Z0-9_-]/g, "-");
+    }
+    if (normalized.endsWith(".json") ||
+        normalized.endsWith(".yaml") ||
         normalized.endsWith(".yml") ||
-        normalized.endsWith(".yaml")) {
-        return "infra-config";
+        normalized.endsWith(".toml") ||
+        normalized.endsWith(".sh") ||
+        normalized.includes("docker") ||
+        normalized.startsWith(".")) {
+        return "root-config";
     }
     return `${kind}-${path.replace(/[^a-zA-Z0-9_-]/g, "-")}`;
 }
@@ -75,6 +83,16 @@ function sortLenses(lenses) {
     const set = new Set(lenses);
     return LENS_ORDER.filter((lens) => set.has(lens));
 }
+function applyExtensionLensGuards(path, lenses) {
+    const n = path.toLowerCase();
+    if (n.endsWith(".schema.json") || n.endsWith(".schema.ts")) {
+        return lenses.filter((l) => l === "data_integrity");
+    }
+    if (n.endsWith(".json") || n.endsWith(".yaml") || n.endsWith(".yml")) {
+        return lenses.filter((l) => l !== "tests" && l !== "performance");
+    }
+    return lenses;
+}
 export function deriveRequiredLensesForPath(path) {
     const assignment = bucketFile(path);
     const required = new Set();
@@ -83,29 +101,25 @@ export function deriveRequiredLensesForPath(path) {
             required.add(lens);
         }
     }
-    return sortLenses(required);
+    return applyExtensionLensGuards(path, sortLenses(required));
 }
 function inferCriticalFlows(files, requiredLenses) {
     const flows = new Set();
-    const combined = files.join(" ").toLowerCase();
-    if (combined.includes("auth") ||
-        combined.includes("session") ||
-        combined.includes("token")) {
+    const tokens = new Set(files.flatMap((f) => pathTokens(normalizeExtractorPath(f))));
+    if (tokens.has("auth") || tokens.has("session") || tokens.has("token")) {
         flows.add("auth-session");
     }
-    if (combined.includes("billing") ||
-        combined.includes("invoice") ||
-        combined.includes("payment")) {
+    if (tokens.has("billing") || tokens.has("invoice") || tokens.has("payment")) {
         flows.add("billing-payment");
     }
-    if (combined.includes("queue") ||
-        combined.includes("worker") ||
-        combined.includes("job") ||
+    if (tokens.has("queue") ||
+        tokens.has("worker") ||
+        tokens.has("job") ||
         requiredLenses.includes("reliability")) {
         flows.add("async-processing");
     }
-    if (combined.includes("deploy") ||
-        combined.includes("docker") ||
+    if (tokens.has("deploy") ||
+        tokens.has("docker") ||
         requiredLenses.includes("config_deployment")) {
         flows.add("deployment-config");
     }

package/dist/prompts/renderWorkerPrompt.js

@@ -8,7 +8,7 @@ export function renderWorkerPrompt(task) {
         const tasksPath = task.pending_audit_tasks_path ??
             `${task.artifacts_dir}/audit_tasks.json`;
         const lines = [
-            "You are executing one bounded audit task for audit-code.",
+            "You are executing one bounded audit run for audit-code.",
             `Run ID: ${task.run_id}`,
             `Repository root: ${task.repo_root}`,
             "",
@@ -23,17 +23,20 @@ export function renderWorkerPrompt(task) {
             "       task_id, unit_id, pass_id, lens",
             "       file_coverage: [{path, total_lines}] for every assigned file you reviewed",
             "       findings: array (empty if nothing found)",
+            "     If the task includes file_line_counts, use those values for file_coverage.total_lines.",
             "     total_lines must match the file's current total line count.",
             "     Each finding must include:",
-            "       id, title, category, severity, confidence, lens, summary, affected_files,",
-            "       evidence (an array of plain strings only, at least one excerpt or line reference from the file you read)",
+            "       id, title, category, severity, confidence, lens, summary",
+            "       affected_files: [{path, line_start?, line_end?, symbol?}] — path is repo-relative, NOT a plain string",
+            "       evidence: array of plain strings only, at least one excerpt or line reference from the file you read",
             "       Example evidence entry: src/foo.ts:42 - variable overwritten before use",
+            "       Example affected_files entry: {\"path\": \"src/foo.ts\", \"line_start\": 42, \"line_end\": 55, \"symbol\": \"myFunction\"}",
             "     Optional finding fields: impact, likelihood, reproduction, systemic, related_findings",
             "     Low-priority tasks still require a real review. Use findings: [] only when you genuinely found nothing notable.",
             task.timeout_ms
                 ? `     Time budget for this task: ${task.timeout_ms} ms.`
                 : "     Keep the task bounded to the assigned files only.",
-            `Reference schema: ${task.artifacts_dir}/dispatch/audit-result.schema.json`,
+            `Reference schemas: ${task.artifacts_dir}/dispatch/audit-result.schema.json and ${task.artifacts_dir}/dispatch/finding.schema.json`,
             `Write the AuditResult[] JSON array to: ${task.audit_results_path}`,
         ];
         if (usesDeferredWorkerCommand(task)) {

package/dist/types.d.ts

@@ -53,6 +53,7 @@ export interface AuditTask {
     pass_id: string;
     lens: Lens;
     file_paths: string[];
+    file_line_counts?: Record<string, number>;
     line_ranges?: Array<{
         path: string;
         start: number;

package/dist/validation/auditResults.js

@@ -306,12 +306,12 @@ export function validateAuditResults(results, tasks, options = {}) {
                     });
                 }
                 if (Number.isInteger(entry.total_lines) &&
-                    Number(entry.total_lines) <= 0) {
+                    Number(entry.total_lines) < 0) {
                     pushIssue(issues, {
                         result_index: i,
                         task_id: taskId,
                         field: `file_coverage[${j}].total_lines`,
-                        message: "file_coverage total_lines must be greater than zero.",
+                        message: "file_coverage total_lines must be zero or greater.",
                     });
                 }
                 const expectedLineCount = typeof entry.path === "string"
@@ -330,7 +330,7 @@ export function validateAuditResults(results, tasks, options = {}) {
                 }
                 if (isNonEmptyString(entry.path) &&
                     Number.isInteger(entry.total_lines) &&
-                    Number(entry.total_lines) > 0) {
+                    Number(entry.total_lines) >= 0) {
                     normalizedFileCoverage.push({
                         path: entry.path,
                         total_lines: Number(entry.total_lines),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auditor-lambda",
-  "version": "0.2.13",
+  "version": "0.2.15",
   "private": false,
   "description": "Portable hybrid code-auditing framework for arbitrary repositories.",
   "type": "module",

package/schemas/audit_result.schema.json

@@ -33,7 +33,7 @@
         "required": ["path", "total_lines"],
         "properties": {
           "path": { "type": "string" },
-          "total_lines": { "type": "integer", "minimum": 1 }
+          "total_lines": { "type": "integer", "minimum": 0 }
         },
         "additionalProperties": false
       }

package/schemas/audit_task.schema.json

@@ -24,6 +24,13 @@
       "minItems": 1,
       "items": { "type": "string" }
     },
+    "file_line_counts": {
+      "type": "object",
+      "additionalProperties": {
+        "type": "integer",
+        "minimum": 0
+      }
+    },
     "line_ranges": {
       "type": "array",
       "items": {