auditor-lambda 0.2.5 → 0.2.8

package/dist/coverage.d.ts

@@ -1,8 +1,8 @@
-import type { CoverageFileRecord, CoverageMatrix, Lens, ReviewedLineRange } from "./types.js";
+import type { CoverageFileRecord, CoverageMatrix, FileCoverageRecord, Lens } from "./types.js";
 export declare function createCoverageMatrix(paths: string[]): CoverageMatrix;
 export declare function markExcludedPath(matrix: CoverageMatrix, path: string, classificationStatus: string): void;
 export declare function applyUnitCoverage(matrix: CoverageMatrix, path: string, unitId: string, requiredLenses: Lens[]): void;
-export declare function applyReviewedRanges(matrix: CoverageMatrix, reviewedRanges: ReviewedLineRange[]): void;
+export declare function applyFileCoverage(matrix: CoverageMatrix, fileCoverage: FileCoverageRecord[]): void;
 export declare function findUncoveredFiles(matrix: CoverageMatrix): CoverageFileRecord[];
 export declare function buildRequeueTargets(matrix: CoverageMatrix): Array<{
     path: string;

package/dist/coverage.js

@@ -32,13 +32,13 @@ export function applyUnitCoverage(matrix, path, unitId, requiredLenses) {
         ...new Set([...record.required_lenses, ...requiredLenses]),
     ];
 }
-export function applyReviewedRanges(matrix, reviewedRanges) {
-    for (const range of reviewedRanges) {
-        const record = matrix.files.find((file) => file.path === range.path);
+export function applyFileCoverage(matrix, fileCoverage) {
+    for (const coverage of fileCoverage) {
+        const record = matrix.files.find((file) => file.path === coverage.path);
         if (!record || record.audit_status === "excluded")
             continue;
-        if (range.lens && !record.completed_lenses.includes(range.lens)) {
-            record.completed_lenses.push(range.lens);
+        if (coverage.lens && !record.completed_lenses.includes(coverage.lens)) {
+            record.completed_lenses.push(coverage.lens);
         }
     }
     for (const file of matrix.files) {

package/dist/extractors/disposition.js

@@ -1,4 +1,4 @@
-import { isNodeModulesOrGit, isBuildOutput, isVendorPath, isBinaryArtifact, isDocPath, } from "./pathPatterns.js";
+import { isNodeModulesOrGit, isBuildOutput, isVendorPath, isBinaryArtifact, isLicensePath, isLockfilePath, isLogPath, isDocPath, } from "./pathPatterns.js";
 function inferDisposition(path) {
     const normalized = path.toLowerCase();
     if (isNodeModulesOrGit(normalized)) {
@@ -17,6 +17,15 @@ function inferDisposition(path) {
             reason: "Non-source binary-like artifact.",
         };
     }
+    if (isLogPath(normalized)) {
+        return { path, status: "generated", reason: "Runtime log artifact." };
+    }
+    if (isLicensePath(normalized)) {
+        return { path, status: "doc_only", reason: "License file is not auditable code." };
+    }
+    if (isLockfilePath(normalized)) {
+        return { path, status: "generated", reason: "Lockfile excluded from code audit scope." };
+    }
     if (isDocPath(normalized)) {
         return { path, status: "doc_only", reason: "Documentation artifact." };
     }

package/dist/extractors/flows.js

@@ -94,6 +94,7 @@ export function buildCriticalFlowManifest(repoManifest, surfaceManifest, disposi
             entrypoints: [entry],
             paths,
             concerns: inferConcerns(paths),
+            confidence: paths.length > 1 ? "high" : "low",
             notes: [
                 "Heuristic critical-flow inference from detected surfaces and related paths.",
             ],
@@ -108,9 +109,14 @@ export function buildCriticalFlowManifest(repoManifest, surfaceManifest, disposi
                 entrypoints: [path],
                 paths: relatedPaths(path, availablePaths),
                 concerns: ["data_integrity", "reliability"],
+                confidence: "high",
                 notes: ["Heuristic data-evolution flow."],
             });
         }
     }
-    return { flows: dedupeFlows(flows) };
+    const deduped = dedupeFlows(flows);
+    return {
+        flows: deduped,
+        fallback_required: deduped.length === 0 || deduped.some((flow) => flow.confidence === "low"),
+    };
 }

package/dist/extractors/pathPatterns.d.ts

@@ -7,6 +7,9 @@ export declare function isNodeModulesOrGit(normalized: string): boolean;
 export declare function isBuildOutput(normalized: string): boolean;
 export declare function isVendorPath(normalized: string): boolean;
 export declare function isBinaryArtifact(normalized: string): boolean;
+export declare function isLogPath(normalized: string): boolean;
+export declare function isLicensePath(normalized: string): boolean;
+export declare function isLockfilePath(normalized: string): boolean;
 export declare function isDocPath(normalized: string): boolean;
 export declare function isTestPath(normalized: string): boolean;
 export declare function isInterfacePath(normalized: string): boolean;

package/dist/extractors/pathPatterns.js

@@ -21,6 +21,21 @@ export function isBinaryArtifact(normalized) {
         normalized.endsWith(".pdf") ||
         normalized.endsWith(".zip"));
 }
+export function isLogPath(normalized) {
+    return normalized.endsWith(".log") || normalized.includes("stdout.log") || normalized.includes("stderr.log");
+}
+export function isLicensePath(normalized) {
+    const base = normalized.split(/[/\\]/).pop() ?? normalized;
+    return base === "license" || base.startsWith("license.");
+}
+export function isLockfilePath(normalized) {
+    return (normalized.endsWith("package-lock.json") ||
+        normalized.endsWith("pnpm-lock.yaml") ||
+        normalized.endsWith("yarn.lock") ||
+        normalized.endsWith("cargo.lock") ||
+        normalized.endsWith("composer.lock") ||
+        normalized.endsWith("go.sum"));
+}
 export function isDocPath(normalized) {
     return normalized.endsWith(".md") || normalized.startsWith("docs/");
 }

package/dist/extractors/risk.js

@@ -19,6 +19,9 @@ export function buildRiskRegister(unitManifest, criticalFlows, externalAnalyzerR
             signals.push("writes_or_persistence");
         if (unit.required_lenses.includes("config_deployment"))
             signals.push("operational_surface");
+        if (unit.files.some((path) => /(write|save|persist|lock|cache|retry|open|sync|refresh)/i.test(path))) {
+            signals.push("path_level_stateful_behavior");
+        }
         const flowHits = unit.files.reduce((sum, path) => sum + (flowMap.get(path) ?? 0), 0);
         if (flowHits > 0) {
             signals.push("critical_flow_member");
@@ -29,7 +32,10 @@ export function buildRiskRegister(unitManifest, criticalFlows, externalAnalyzerR
         }
         return {
             unit_id: unit.unit_id,
-            risk_score: (unit.risk_score ?? 0) + flowHits + externalHits,
+            risk_score: (unit.risk_score ?? 0) +
+                flowHits +
+                externalHits +
+                (signals.includes("path_level_stateful_behavior") ? 1 : 0),
             signals,
             notes: [
                 "Initial heuristic risk scoring.",

package/dist/io/artifacts.d.ts

@@ -26,9 +26,7 @@ export interface ArtifactBundle {
     audit_results?: AuditResult[];
     audit_tasks?: AuditTask[];
     requeue_tasks?: AuditTask[];
-    merged_findings?: unknown;
-    root_cause_clusters?: unknown;
-    synthesis_report?: unknown;
+    audit_report?: string;
     audit_state?: AuditState;
     artifact_metadata?: ArtifactMetadataManifest;
 }
@@ -49,9 +47,7 @@ export declare const ARTIFACT_FILE_TO_BUNDLE_KEY: {
     readonly "audit_results.jsonl": "audit_results";
     readonly "audit_tasks.json": "audit_tasks";
     readonly "requeue_tasks.json": "requeue_tasks";
-    readonly "merged_findings.json": "merged_findings";
-    readonly "root_cause_clusters.json": "root_cause_clusters";
-    readonly "synthesis_report.json": "synthesis_report";
+    readonly "audit-report.md": "audit_report";
     readonly "audit_state.json": "audit_state";
     readonly "artifact_metadata.json": "artifact_metadata";
 };
@@ -59,3 +55,7 @@ export declare function getArtifactValue(bundle: ArtifactBundle, artifactName: s
 export declare function loadArtifactBundle(root: string): Promise<ArtifactBundle>;
 export declare function writeCoreArtifacts(root: string, bundle: ArtifactBundle): Promise<void>;
 export declare function cleanupIntermediateArtifacts(root: string): Promise<string[]>;
+export declare function promoteFinalAuditReport(params: {
+    artifactsDir: string;
+    repoRoot: string;
+}): Promise<void>;

package/dist/io/artifacts.js

@@ -1,6 +1,6 @@
-import { unlink } from "node:fs/promises";
+import { cp, rm, unlink } from "node:fs/promises";
 import { join } from "node:path";
-import { writeJsonFile, readOptionalJsonFile, readOptionalNdjsonFile, writeNdjsonFile, } from "./json.js";
+import { writeJsonFile, readOptionalJsonFile, readOptionalNdjsonFile, readOptionalTextFile, writeNdjsonFile, writeTextFile, } from "./json.js";
 export const ARTIFACT_FILE_TO_BUNDLE_KEY = {
     "repo_manifest.json": "repo_manifest",
     "file_disposition.json": "file_disposition",
@@ -18,9 +18,7 @@ export const ARTIFACT_FILE_TO_BUNDLE_KEY = {
     "audit_results.jsonl": "audit_results",
     "audit_tasks.json": "audit_tasks",
     "requeue_tasks.json": "requeue_tasks",
-    "merged_findings.json": "merged_findings",
-    "root_cause_clusters.json": "root_cause_clusters",
-    "synthesis_report.json": "synthesis_report",
+    "audit-report.md": "audit_report",
     "audit_state.json": "audit_state",
     "artifact_metadata.json": "artifact_metadata",
 };
@@ -51,9 +49,7 @@ export async function loadArtifactBundle(root) {
     bundle.audit_results = await readOptionalNdjsonFile(`${root}/audit_results.jsonl`);
     bundle.audit_tasks = await readOptionalJsonFile(`${root}/audit_tasks.json`);
     bundle.requeue_tasks = await readOptionalJsonFile(`${root}/requeue_tasks.json`);
-    bundle.merged_findings = await readOptionalJsonFile(`${root}/merged_findings.json`);
-    bundle.root_cause_clusters = await readOptionalJsonFile(`${root}/root_cause_clusters.json`);
-    bundle.synthesis_report = await readOptionalJsonFile(`${root}/synthesis_report.json`);
+    bundle.audit_report = await readOptionalTextFile(`${root}/audit-report.md`);
     bundle.audit_state = await readOptionalJsonFile(`${root}/audit_state.json`);
     bundle.artifact_metadata = await readOptionalJsonFile(`${root}/artifact_metadata.json`);
     return bundle;
@@ -91,20 +87,13 @@ export async function writeCoreArtifacts(root, bundle) {
         await writeJsonFile(`${root}/audit_tasks.json`, bundle.audit_tasks);
     if (bundle.requeue_tasks)
         await writeJsonFile(`${root}/requeue_tasks.json`, bundle.requeue_tasks);
-    if (bundle.merged_findings)
-        await writeJsonFile(`${root}/merged_findings.json`, bundle.merged_findings);
-    if (bundle.root_cause_clusters)
-        await writeJsonFile(`${root}/root_cause_clusters.json`, bundle.root_cause_clusters);
-    if (bundle.synthesis_report)
-        await writeJsonFile(`${root}/synthesis_report.json`, bundle.synthesis_report);
+    if (bundle.audit_report !== undefined)
+        await writeTextFile(`${root}/audit-report.md`, bundle.audit_report);
     if (bundle.audit_state)
         await writeJsonFile(`${root}/audit_state.json`, bundle.audit_state);
     if (bundle.artifact_metadata)
         await writeJsonFile(`${root}/artifact_metadata.json`, bundle.artifact_metadata);
 }
-// Intermediate files deleted after synthesis completes. The final outputs
-// (synthesis_report.json, merged_findings.json, root_cause_clusters.json,
-// audit_state.json) are retained.
 const INTERMEDIATE_ARTIFACTS = [
     "repo_manifest.json",
     "file_disposition.json",
@@ -123,6 +112,8 @@ const INTERMEDIATE_ARTIFACTS = [
     "audit_tasks.json",
     "requeue_tasks.json",
     "artifact_metadata.json",
+    "audit_state.json",
+    "audit-report.md",
 ];
 export async function cleanupIntermediateArtifacts(root) {
     const deleted = [];
@@ -137,3 +128,9 @@ export async function cleanupIntermediateArtifacts(root) {
     }
     return deleted;
 }
+export async function promoteFinalAuditReport(params) {
+    const source = join(params.artifactsDir, "audit-report.md");
+    const destination = join(params.repoRoot, "audit-report.md");
+    await cp(source, destination, { force: true });
+    await rm(params.artifactsDir, { recursive: true, force: true });
+}

package/dist/io/json.d.ts

@@ -6,3 +6,5 @@ export declare function readNdjsonFile<T>(path: string): Promise<T[]>;
 export declare function readOptionalJsonFile<T>(path: string): Promise<T | undefined>;
 export declare function readOptionalNdjsonFile<T>(path: string): Promise<T[] | undefined>;
 export declare function writeNdjsonFile(path: string, values: unknown[]): Promise<void>;
+export declare function readOptionalTextFile(path: string): Promise<string | undefined>;
+export declare function writeTextFile(path: string, value: string): Promise<void>;

package/dist/io/json.js

@@ -94,3 +94,18 @@ export async function writeNdjsonFile(path, values) {
     }
     await writeFile(path, values.map((v) => JSON.stringify(v)).join("\n") + "\n", "utf8");
 }
+export async function readOptionalTextFile(path) {
+    try {
+        return await readFile(path, "utf8");
+    }
+    catch (error) {
+        if (isFileMissingError(error)) {
+            return undefined;
+        }
+        throw new Error(`Failed to read ${path}: ${errorMessage(error)}`);
+    }
+}
+export async function writeTextFile(path, value) {
+    await mkdir(dirname(path), { recursive: true });
+    await writeFile(path, value, "utf8");
+}

package/dist/io/runArtifacts.d.ts

@@ -1,3 +1,4 @@
+import type { AuditTask } from "../types.js";
 import type { WorkerTask } from "../types/workerSession.js";
 export interface RunPaths {
     runDir: string;
@@ -11,4 +12,5 @@ export interface RunPaths {
 export declare function buildRunId(obligationId: string | null, index: number): string;
 export declare function getRunPaths(artifactsDir: string, runId: string): RunPaths;
 export declare function ensureSupervisorDirs(artifactsDir: string): Promise<void>;
-export declare function writeWorkerTaskFiles(task: WorkerTask, prompt: string, paths: RunPaths, artifactsDir: string): Promise<void>;
+export declare function writeWorkerTaskFiles(task: WorkerTask, prompt: string, paths: RunPaths, artifactsDir: string, currentTasks?: AuditTask[]): Promise<void>;
+export declare function clearDispatchFiles(artifactsDir: string): Promise<void>;

package/dist/io/runArtifacts.js

@@ -1,6 +1,10 @@
-import { mkdir, writeFile } from "node:fs/promises";
-import { join } from "node:path";
+import { mkdir, readFile, rm, writeFile } from "node:fs/promises";
+import { dirname, join, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
 import { writeJsonFile } from "./json.js";
+const moduleDir = dirname(fileURLToPath(import.meta.url));
+const packageRoot = resolve(moduleDir, "..", "..");
+const auditResultSchemaPath = join(packageRoot, "schemas", "audit_result.schema.json");
 export function buildRunId(obligationId, index) {
     const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
     const obligation = (obligationId ?? "terminal").replace(/[^a-zA-Z0-9_-]/g, "-");
@@ -20,11 +24,9 @@ export function getRunPaths(artifactsDir, runId) {
 }
 export async function ensureSupervisorDirs(artifactsDir) {
     await mkdir(join(artifactsDir, "dispatch"), { recursive: true });
-    await mkdir(join(artifactsDir, "worker-results"), { recursive: true });
-    await mkdir(join(artifactsDir, "worker-logs"), { recursive: true });
     await mkdir(join(artifactsDir, "runs"), { recursive: true });
 }
-export async function writeWorkerTaskFiles(task, prompt, paths, artifactsDir) {
+export async function writeWorkerTaskFiles(task, prompt, paths, artifactsDir, currentTasks) {
     await mkdir(paths.runDir, { recursive: true });
     await writeJsonFile(paths.taskPath, task);
     await writeFile(paths.promptPath, prompt, "utf8");
@@ -34,4 +36,17 @@ export async function writeWorkerTaskFiles(task, prompt, paths, artifactsDir) {
     });
     await writeJsonFile(join(artifactsDir, "dispatch", "current-task.json"), task);
     await writeFile(join(artifactsDir, "dispatch", "current-prompt.md"), prompt, "utf8");
+    await writeJsonFile(join(artifactsDir, "dispatch", "current-tasks.json"), currentTasks ?? []);
+    await writeFile(join(artifactsDir, "dispatch", "audit-result.schema.json"), await readFile(auditResultSchemaPath, "utf8"), "utf8");
+}
+export async function clearDispatchFiles(artifactsDir) {
+    const targets = [
+        "current-task.json",
+        "current-prompt.md",
+        "current-tasks.json",
+        "audit-result.schema.json",
+    ];
+    for (const name of targets) {
+        await rm(join(artifactsDir, "dispatch", name), { force: true });
+    }
 }

package/dist/mcp/server.d.ts

@@ -0,0 +1 @@
+export declare function runAuditCodeMcpServer(argv: string[]): Promise<void>;