auditor-lambda 0.2.5 → 0.2.8

package/dist/orchestrator/executors.js

@@ -20,14 +20,19 @@ export const EXECUTOR_REGISTRY = [
         description: "Ingest available audit result artifacts and refresh dependent coverage artifacts.",
     },
     {
-        id: "runtime_validation_update_executor",
+        id: "runtime_validation_executor",
         obligation_ids: ["runtime_validation_current"],
         description: "Merge runtime validation evidence updates when provided.",
     },
+    {
+        id: "runtime_validation_update_executor",
+        obligation_ids: [],
+        description: "Merge imported runtime validation evidence updates.",
+    },
     {
         id: "synthesis_executor",
         obligation_ids: ["synthesis_current"],
-        description: "Refresh merged findings, clusters, and synthesis outputs.",
+        description: "Render the final deterministic Markdown audit report.",
     },
     {
         id: "external_analyzer_import_executor",

package/dist/orchestrator/flowRequeue.d.ts

@@ -1,5 +1,5 @@
 import type { ExternalAnalyzerResults } from "../types/externalAnalyzer.js";
-import type { AuditTask } from "../types.js";
+import type { AuditTask, CoverageMatrix } from "../types.js";
 import type { FlowCoverageManifest } from "../types/flowCoverage.js";
 import type { CriticalFlowManifest } from "../types/flows.js";
-export declare function buildFlowRequeueTasks(criticalFlows: CriticalFlowManifest, flowCoverage: FlowCoverageManifest, externalAnalyzerResults?: ExternalAnalyzerResults): AuditTask[];
+export declare function buildFlowRequeueTasks(criticalFlows: CriticalFlowManifest, flowCoverage: FlowCoverageManifest, coverageMatrix: CoverageMatrix, externalAnalyzerResults?: ExternalAnalyzerResults): AuditTask[];

package/dist/orchestrator/flowRequeue.js

@@ -19,7 +19,14 @@ function taskPriority(hasExternalSignal, lens) {
     }
     return hasExternalSignal ? "medium" : "low";
 }
-export function buildFlowRequeueTasks(criticalFlows, flowCoverage, externalAnalyzerResults) {
+function fileStillNeedsLens(coverageMatrix, path, lens) {
+    const record = coverageMatrix.files.find((file) => file.path === path);
+    if (!record || record.audit_status === "excluded") {
+        return false;
+    }
+    return !record.completed_lenses.includes(lens);
+}
+export function buildFlowRequeueTasks(criticalFlows, flowCoverage, coverageMatrix, externalAnalyzerResults) {
     const flowMap = new Map(criticalFlows.flows.map((flow) => [flow.id, flow]));
     const tasks = [];
     const seen = new Set();
@@ -35,6 +42,9 @@ export function buildFlowRequeueTasks(criticalFlows, flowCoverage, externalAnaly
                 continue;
             }
             for (const path of flow.paths) {
+                if (!fileStillNeedsLens(coverageMatrix, path, lensName)) {
+                    continue;
+                }
                 const signature = `${flow.id}|${lensName}|${path}`;
                 if (seen.has(signature)) {
                     continue;
@@ -47,9 +57,12 @@ export function buildFlowRequeueTasks(criticalFlows, flowCoverage, externalAnaly
                     pass_id: `flow-requeue:${lensName}`,
                     lens: lensName,
                     file_paths: [path],
-                    rationale: `Requeue ${path} because critical flow ${flow.id} is still missing the ${lensName} lens.${hasExternalSignal ? " External analyzer signals make this follow-up higher priority." : ""}`,
+                    rationale: `Mandatory audit coverage is still missing for critical flow ${flow.id} at ${path} under the ${lensName} lens.`,
                     priority: taskPriority(hasExternalSignal, lensName),
-                    tags: hasExternalSignal ? ["external_analyzer_signal"] : [],
+                    tags: hasExternalSignal
+                        ? ["critical_flow_followup", "external_analyzer_signal"]
+                        : ["critical_flow_followup"],
+                    status: "pending",
                 });
             }
         }

package/dist/orchestrator/internalExecutors.d.ts

@@ -9,8 +9,9 @@ export interface ExecutorRunResult {
 }
 export declare function runIntakeExecutor(bundle: ArtifactBundle, root: string): Promise<ExecutorRunResult>;
 export declare function runStructureExecutor(bundle: ArtifactBundle): ExecutorRunResult;
-export declare function runPlanningExecutor(bundle: ArtifactBundle, lineIndex?: Record<string, number>): ExecutorRunResult;
+export declare function runPlanningExecutor(bundle: ArtifactBundle, root: string, lineIndex?: Record<string, number>): Promise<ExecutorRunResult>;
 export declare function runResultIngestionExecutor(bundle: ArtifactBundle, results: AuditResult[]): ExecutorRunResult;
+export declare function runRuntimeValidationExecutor(bundle: ArtifactBundle, root: string): Promise<ExecutorRunResult>;
 export declare function runRuntimeValidationUpdateExecutor(bundle: ArtifactBundle, updates: RuntimeValidationReport): ExecutorRunResult;
 export declare function runSynthesisExecutor(bundle: ArtifactBundle, results?: AuditResult[]): ExecutorRunResult;
 export declare function runExternalAnalyzerImportExecutor(bundle: ArtifactBundle, externalResults: ExternalAnalyzerResults): ExecutorRunResult;

package/dist/orchestrator/internalExecutors.js

@@ -1,3 +1,4 @@
+import { spawn } from "node:child_process";
 import { buildFileDisposition } from "../extractors/disposition.js";
 import { buildGraphBundle } from "../extractors/graph.js";
 import { buildCriticalFlowManifest } from "../extractors/flows.js";
@@ -7,18 +8,48 @@ import { initializeCoverageFromPlan } from "./planning.js";
 import { buildFlowCoverage } from "./flowCoverage.js";
 import { buildFlowAwareTaskAugmentations } from "./flowPlanning.js";
 import { buildRequeuePayload } from "./requeueCommand.js";
-import { buildRuntimeValidationTasks, buildPlaceholderRuntimeValidationReport, mergeRuntimeValidationReport, } from "./runtimeValidation.js";
-import { buildSynthesisReport } from "../reporting/synthesis.js";
+import { buildRuntimeValidationTasks, discoverRuntimeValidationCommand, mergeRuntimeValidationReport, } from "./runtimeValidation.js";
+import { buildAuditReportModel, renderAuditReportMarkdown, } from "../reporting/synthesis.js";
 import { buildChunkedAuditTasks, buildExternalSignalTasks, } from "./taskBuilder.js";
 import { buildUnitManifest } from "./unitBuilder.js";
 import { buildRepoManifestFromFs } from "../extractors/fsIntake.js";
 import { loadIgnoreFile } from "../extractors/ignore.js";
-import { ingestAuditResults } from "./resultIngestion.js";
+import { ingestAuditResults, updateAuditTaskStatuses, } from "./resultIngestion.js";
 import { updateRuntimeValidationReport } from "./runtimeValidationUpdate.js";
-function preserveOrPlaceholder(tasks, existing) {
-    return existing
-        ? mergeRuntimeValidationReport(tasks, existing)
-        : buildPlaceholderRuntimeValidationReport(tasks);
+async function runCommand(command, cwd) {
+    return await new Promise((resolve) => {
+        const child = spawn(command[0], command.slice(1), {
+            cwd,
+            env: process.env,
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        let stdout = "";
+        let stderr = "";
+        child.stdout.on("data", (chunk) => {
+            stdout += String(chunk);
+        });
+        child.stderr.on("data", (chunk) => {
+            stderr += String(chunk);
+        });
+        child.on("error", (error) => {
+            resolve({
+                status: "inconclusive",
+                summary: `Failed to execute ${command.join(" ")}: ${error.message}`,
+                evidence: [],
+            });
+        });
+        child.on("exit", (code) => {
+            const output = `${stdout}\n${stderr}`.trim();
+            const evidence = output.length > 0 ? output.split(/\r?\n/).slice(-10) : [];
+            resolve({
+                status: code === 0 ? "confirmed" : "not_confirmed",
+                summary: code === 0
+                    ? `Deterministic runtime command succeeded: ${command.join(" ")}`
+                    : `Deterministic runtime command failed with exit code ${code}: ${command.join(" ")}`,
+                evidence,
+            });
+        });
+    });
 }
 export async function runIntakeExecutor(bundle, root) {
     const ignore = await loadIgnoreFile(root);
@@ -46,8 +77,8 @@ export function runStructureExecutor(bundle) {
     const disposition = bundle.file_disposition ?? buildFileDisposition(bundle.repo_manifest);
     const unitManifest = buildUnitManifest(bundle.repo_manifest, disposition);
     const surfaceManifest = buildSurfaceManifest(bundle.repo_manifest, disposition);
-    const criticalFlows = buildCriticalFlowManifest(bundle.repo_manifest, surfaceManifest, disposition);
     const graphBundle = buildGraphBundle(bundle.repo_manifest, disposition);
+    const criticalFlows = buildCriticalFlowManifest(bundle.repo_manifest, surfaceManifest, disposition);
     const riskRegister = buildRiskRegister(unitManifest, criticalFlows, externalAnalyzerResults);
     return {
         updated: {
@@ -67,10 +98,13 @@ export function runStructureExecutor(bundle) {
             "critical_flows.json",
             "risk_register.json",
         ],
-        progress_summary: `Built structure artifacts for ${unitManifest.units.length} units and ${criticalFlows.flows.length} critical flows.`,
+        progress_summary: `Built structure artifacts for ${unitManifest.units.length} units and ${criticalFlows.flows.length} critical flows.` +
+            (criticalFlows.fallback_required
+                ? " Deterministic flow inference did not fully meet the confidence bar."
+                : ""),
     };
 }
-export function runPlanningExecutor(bundle, lineIndex = {}) {
+export async function runPlanningExecutor(bundle, root, lineIndex = {}) {
     if (!bundle.repo_manifest) {
         throw new Error("Cannot run planning executor without repo_manifest");
     }
@@ -84,14 +118,25 @@ export function runPlanningExecutor(bundle, lineIndex = {}) {
     const externalAnalyzerResults = bundle.external_analyzer_results;
     const coverage = initializeCoverageFromPlan(bundle.repo_manifest, bundle.unit_manifest, bundle.file_disposition, externalAnalyzerResults);
     const flowCoverage = buildFlowCoverage(bundle.critical_flows, coverage);
-    const runtimeValidationTasks = buildRuntimeValidationTasks(bundle.unit_manifest, bundle.critical_flows, flowCoverage);
-    const runtimeValidationReport = preserveOrPlaceholder(runtimeValidationTasks, bundle.runtime_validation_report);
+    const runtimeCommand = await discoverRuntimeValidationCommand(root);
+    const runtimeValidationTasks = buildRuntimeValidationTasks({
+        unitManifest: bundle.unit_manifest,
+        criticalFlows: bundle.critical_flows,
+        flowCoverage,
+        command: runtimeCommand,
+    });
+    const runtimeValidationReport = runtimeValidationTasks.tasks.length > 0
+        ? mergeRuntimeValidationReport(runtimeValidationTasks, bundle.runtime_validation_report)
+        : undefined;
     const baseTasks = buildChunkedAuditTasks(bundle.unit_manifest, lineIndex, {
         external_analyzer_results: externalAnalyzerResults,
     });
     const analyzerTasks = buildExternalSignalTasks(coverage, lineIndex, externalAnalyzerResults);
     const flowTasks = buildFlowAwareTaskAugmentations([...baseTasks, ...analyzerTasks], bundle.critical_flows, lineIndex);
-    const auditTasks = [...baseTasks, ...analyzerTasks, ...flowTasks];
+    const auditTasks = [...baseTasks, ...analyzerTasks, ...flowTasks].map((task) => ({
+        ...task,
+        status: task.status ?? "pending",
+    }));
     const requeuePayload = buildRequeuePayload(coverage, bundle.critical_flows, flowCoverage, externalAnalyzerResults);
     return {
         updated: {
@@ -102,16 +147,20 @@ export function runPlanningExecutor(bundle, lineIndex = {}) {
             runtime_validation_report: runtimeValidationReport,
             audit_tasks: auditTasks,
             requeue_tasks: requeuePayload.tasks,
+            audit_report: undefined,
         },
         artifacts_written: [
             "coverage_matrix.json",
             "flow_coverage.json",
             "runtime_validation_tasks.json",
-            "runtime_validation_report.json",
+            ...(runtimeValidationReport ? ["runtime_validation_report.json"] : []),
             "audit_tasks.json",
             "requeue_tasks.json",
         ],
-        progress_summary: `Built planning artifacts; generated ${auditTasks.length} tasks and ${requeuePayload.task_count} requeue tasks.${externalAnalyzerResults?.results.length ? ` External analyzer signals influenced lenses and produced ${analyzerTasks.length} dedicated follow-up task(s).` : ""}`,
+        progress_summary: `Built planning artifacts; generated ${auditTasks.length} tasks and ${requeuePayload.task_count} requeue tasks.` +
+            (runtimeCommand
+                ? ` Runtime validation will use: ${runtimeCommand.join(" ")}.`
+                : " No deterministic runtime validation command was discovered."),
     };
 }
 export function runResultIngestionExecutor(bundle, results) {
@@ -122,78 +171,109 @@ export function runResultIngestionExecutor(bundle, results) {
     const flowCoverage = bundle.critical_flows
         ? buildFlowCoverage(bundle.critical_flows, updatedCoverageMatrix)
         : bundle.flow_coverage;
-    const runtimeValidationTasks = bundle.unit_manifest
-        ? buildRuntimeValidationTasks(bundle.unit_manifest, bundle.critical_flows, flowCoverage)
-        : bundle.runtime_validation_tasks;
-    const runtimeValidationReport = runtimeValidationTasks
-        ? preserveOrPlaceholder(runtimeValidationTasks, bundle.runtime_validation_report)
-        : bundle.runtime_validation_report;
     const requeuePayload = buildRequeuePayload(updatedCoverageMatrix, bundle.critical_flows, flowCoverage, bundle.external_analyzer_results);
     const mergedResults = [...(bundle.audit_results ?? []), ...results];
-    const synthesisReport = buildSynthesisReport(mergedResults, runtimeValidationReport, bundle.external_analyzer_results);
+    const updatedAuditTasks = updateAuditTaskStatuses(bundle.audit_tasks, mergedResults);
     return {
         updated: {
             ...bundle,
             coverage_matrix: updatedCoverageMatrix,
             flow_coverage: flowCoverage,
-            runtime_validation_tasks: runtimeValidationTasks,
-            runtime_validation_report: runtimeValidationReport,
             audit_results: mergedResults,
+            audit_tasks: updatedAuditTasks,
             requeue_tasks: requeuePayload.tasks,
-            synthesis_report: synthesisReport,
+            audit_report: undefined,
         },
         artifacts_written: [
             "coverage_matrix.json",
             "flow_coverage.json",
-            "runtime_validation_tasks.json",
-            "runtime_validation_report.json",
             "audit_results.jsonl",
+            "audit_tasks.json",
             "requeue_tasks.json",
-            "synthesis_report.json",
         ],
         progress_summary: `Ingested ${results.length} audit result entries and refreshed dependent artifacts.`,
     };
 }
+export async function runRuntimeValidationExecutor(bundle, root) {
+    if (!bundle.runtime_validation_tasks) {
+        throw new Error("Cannot execute runtime validation without runtime_validation_tasks");
+    }
+    const existing = bundle.runtime_validation_report ?? { results: [] };
+    const byTaskId = new Map(existing.results.map((result) => [result.task_id, result]));
+    const byCommand = new Map();
+    for (const task of bundle.runtime_validation_tasks.tasks) {
+        const prior = byTaskId.get(task.id);
+        if (prior &&
+            ["confirmed", "not_confirmed", "inconclusive", "not_required"].includes(prior.status)) {
+            continue;
+        }
+        if (!task.command || task.command.length === 0) {
+            byTaskId.set(task.id, {
+                task_id: task.id,
+                status: "not_required",
+                summary: `No deterministic runtime command was available for ${task.id}.`,
+                evidence: [],
+                notes: ["Runtime validation was not planned for this task."],
+            });
+            continue;
+        }
+        const signature = task.command.join("\0");
+        const outcome = byCommand.get(signature) ?? (await runCommand(task.command, root));
+        byCommand.set(signature, outcome);
+        byTaskId.set(task.id, {
+            task_id: task.id,
+            status: outcome.status,
+            summary: outcome.summary,
+            evidence: outcome.evidence,
+            notes: [`Target paths: ${task.target_paths.join(", ")}`],
+        });
+    }
+    return {
+        updated: {
+            ...bundle,
+            runtime_validation_report: {
+                results: [...byTaskId.values()].sort((a, b) => a.task_id.localeCompare(b.task_id)),
+            },
+            audit_report: undefined,
+        },
+        artifacts_written: ["runtime_validation_report.json"],
+        progress_summary: `Executed deterministic runtime validation for ${bundle.runtime_validation_tasks.tasks.length} task(s).`,
+    };
+}
 export function runRuntimeValidationUpdateExecutor(bundle, updates) {
     if (!bundle.runtime_validation_tasks) {
         throw new Error("Cannot update runtime validation without runtime_validation_tasks");
     }
-    const existingReport = bundle.runtime_validation_report ??
-        buildPlaceholderRuntimeValidationReport(bundle.runtime_validation_tasks);
+    const existingReport = bundle.runtime_validation_report ?? { results: [] };
     const mergedReport = updateRuntimeValidationReport(bundle.runtime_validation_tasks, existingReport, updates);
-    const synthesisReport = buildSynthesisReport(bundle.audit_results ?? [], mergedReport, bundle.external_analyzer_results);
     return {
         updated: {
             ...bundle,
             runtime_validation_report: mergedReport,
-            synthesis_report: synthesisReport,
+            audit_report: undefined,
         },
-        artifacts_written: [
-            "runtime_validation_report.json",
-            "synthesis_report.json",
-        ],
+        artifacts_written: ["runtime_validation_report.json"],
         progress_summary: `Merged ${updates.results.length} runtime validation updates.`,
     };
 }
 export function runSynthesisExecutor(bundle, results) {
     const finalResults = results ?? bundle.audit_results ?? [];
-    const synthesisReport = buildSynthesisReport(finalResults, bundle.runtime_validation_report, bundle.external_analyzer_results);
-    const mergedFindings = { findings: synthesisReport.merged_findings };
-    const rootCauseClusters = { clusters: synthesisReport.root_cause_clusters };
+    const model = buildAuditReportModel({
+        results: finalResults,
+        unitManifest: bundle.unit_manifest,
+        graphBundle: bundle.graph_bundle,
+        criticalFlows: bundle.critical_flows,
+        coverageMatrix: bundle.coverage_matrix,
+        runtimeValidationReport: bundle.runtime_validation_report,
+    });
     return {
         updated: {
             ...bundle,
             audit_results: finalResults,
-            merged_findings: mergedFindings,
-            root_cause_clusters: rootCauseClusters,
-            synthesis_report: synthesisReport,
+            audit_report: renderAuditReportMarkdown(model),
         },
-        artifacts_written: [
-            "merged_findings.json",
-            "root_cause_clusters.json",
-            "synthesis_report.json",
-        ],
-        progress_summary: `Refreshed synthesis for ${finalResults.length} audit result entries.`,
+        artifacts_written: ["audit-report.md"],
+        progress_summary: `Rendered deterministic audit report for ${finalResults.length} audit result entries.`,
     };
 }
 export function runExternalAnalyzerImportExecutor(bundle, externalResults) {
@@ -202,6 +282,7 @@ export function runExternalAnalyzerImportExecutor(bundle, externalResults) {
         updated: {
             ...bundle,
             external_analyzer_results: externalResults,
+            audit_report: undefined,
         },
         artifacts_written: ["external_analyzer_results.json"],
         progress_summary: summary,

package/dist/orchestrator/requeue.js

@@ -1,6 +1,11 @@
 import { buildRequeueTargets } from "../coverage.js";
-function taskPriority(hasExternalSignal) {
-    return hasExternalSignal ? "high" : "medium";
+function taskPriority(hasExternalSignal, lens) {
+    if (hasExternalSignal)
+        return "high";
+    if (lens === "security" || lens === "data_integrity" || lens === "reliability") {
+        return "medium";
+    }
+    return "low";
 }
 export function buildRequeueTasks(matrix, externalAnalyzerResults) {
     const targets = buildRequeueTargets(matrix);
@@ -15,9 +20,10 @@ export function buildRequeueTasks(matrix, externalAnalyzerResults) {
                 pass_id: `requeue:${lens}`,
                 lens,
                 file_paths: [target.path],
-                rationale: `Requeue ${target.path} because the ${lens} lens is still missing.${hasExternalSignal ? " External analyzer signals make this follow-up higher priority." : ""}`,
-                priority: taskPriority(hasExternalSignal),
+                rationale: `Mandatory audit coverage is still missing for ${target.path} under the ${lens} lens.`,
+                priority: taskPriority(hasExternalSignal, lens),
                 tags: hasExternalSignal ? ["external_analyzer_signal"] : [],
+                status: "pending",
             });
         }
     }

package/dist/orchestrator/requeueCommand.js

@@ -12,12 +12,25 @@ function dedupeTasks(tasks) {
     }
     return deduped;
 }
+function dedupeByScope(tasks) {
+    const seen = new Set();
+    const deduped = [];
+    for (const task of tasks) {
+        const signature = `${task.lens}:${[...task.file_paths].sort().join(",")}`;
+        if (seen.has(signature)) {
+            continue;
+        }
+        seen.add(signature);
+        deduped.push(task);
+    }
+    return deduped;
+}
 export function buildRequeuePayload(matrix, criticalFlows, flowCoverage, externalAnalyzerResults) {
     const fileTasks = dedupeTasks(buildRequeueTasks(matrix, externalAnalyzerResults));
     const flowTasks = criticalFlows && flowCoverage
-        ? dedupeTasks(buildFlowRequeueTasks(criticalFlows, flowCoverage, externalAnalyzerResults))
+        ? dedupeTasks(buildFlowRequeueTasks(criticalFlows, flowCoverage, matrix, externalAnalyzerResults))
         : [];
-    const tasks = dedupeTasks([...fileTasks, ...flowTasks]);
+    const tasks = dedupeByScope(dedupeTasks([...fileTasks, ...flowTasks]));
     return {
         task_count: tasks.length,
         file_task_count: fileTasks.length,

package/dist/orchestrator/resultIngestion.d.ts

@@ -1,2 +1,3 @@
-import type { AuditResult, CoverageMatrix } from "../types.js";
+import type { AuditResult, AuditTask, CoverageMatrix } from "../types.js";
 export declare function ingestAuditResults(coverageMatrix: CoverageMatrix, results: AuditResult[]): CoverageMatrix;
+export declare function updateAuditTaskStatuses(tasks: AuditTask[] | undefined, results: AuditResult[]): AuditTask[] | undefined;

package/dist/orchestrator/resultIngestion.js

@@ -1,14 +1,34 @@
-import { applyReviewedRanges } from "../coverage.js";
+import { applyFileCoverage } from "../coverage.js";
 export function ingestAuditResults(coverageMatrix, results) {
     const matrix = JSON.parse(JSON.stringify(coverageMatrix));
-    const reviewedRanges = results.flatMap((result) => result.reviewed_ranges.map((range) => ({
-        path: range.path,
-        start: range.start,
-        end: range.end,
+    const fileCoverage = results.flatMap((result) => result.file_coverage.map((coverage) => ({
+        path: coverage.path,
+        total_lines: coverage.total_lines,
         pass_id: result.pass_id,
         lens: result.lens,
         agent_role: result.agent_role,
     })));
-    applyReviewedRanges(matrix, reviewedRanges);
+    applyFileCoverage(matrix, fileCoverage);
     return matrix;
 }
+export function updateAuditTaskStatuses(tasks, results) {
+    if (!tasks) {
+        return undefined;
+    }
+    const completedTaskIds = new Set(results.map((result) => result.task_id));
+    const completedAt = new Date().toISOString();
+    return tasks.map((task) => {
+        if (completedTaskIds.has(task.task_id)) {
+            return {
+                ...task,
+                status: "complete",
+                completed_at: task.completed_at ?? completedAt,
+                completion_reason: task.completion_reason ?? "result_ingested",
+            };
+        }
+        return {
+            ...task,
+            status: task.status ?? "pending",
+        };
+    });
+}

package/dist/orchestrator/runtimeValidation.d.ts

@@ -2,6 +2,11 @@ import type { UnitManifest } from "../types.js";
 import type { FlowCoverageManifest } from "../types/flowCoverage.js";
 import type { CriticalFlowManifest } from "../types/flows.js";
 import type { RuntimeValidationReport, RuntimeValidationTaskManifest } from "../types/runtimeValidation.js";
-export declare function buildRuntimeValidationTasks(unitManifest: UnitManifest, criticalFlows?: CriticalFlowManifest, flowCoverage?: FlowCoverageManifest): RuntimeValidationTaskManifest;
-export declare function buildPlaceholderRuntimeValidationReport(tasks: RuntimeValidationTaskManifest): RuntimeValidationReport;
+export declare function discoverRuntimeValidationCommand(root: string): Promise<string[] | undefined>;
+export declare function buildRuntimeValidationTasks(params: {
+    unitManifest: UnitManifest;
+    criticalFlows?: CriticalFlowManifest;
+    flowCoverage?: FlowCoverageManifest;
+    command?: string[];
+}): RuntimeValidationTaskManifest;
 export declare function mergeRuntimeValidationReport(tasks: RuntimeValidationTaskManifest, existing?: RuntimeValidationReport): RuntimeValidationReport;

package/dist/orchestrator/runtimeValidation.js

@@ -1,23 +1,59 @@
+import { access, readFile } from "node:fs/promises";
 function checksForFlow(requiredLenses) {
     const checks = [];
     if (requiredLenses.includes("security")) {
         checks.push("Exercise malformed or unauthorized inputs against the flow.");
     }
     if (requiredLenses.includes("reliability")) {
-        checks.push("Exercise retries, repeated submissions, or partial failure behavior.");
+        checks.push("Exercise retries or repeated submissions.");
     }
     if (requiredLenses.includes("correctness")) {
-        checks.push("Exercise representative success and edge-case paths end to end.");
+        checks.push("Exercise representative success and edge-case behavior.");
     }
     if (requiredLenses.includes("data_integrity")) {
-        checks.push("Verify state transitions and persistence invariants after execution.");
+        checks.push("Verify state transitions and persistence invariants.");
     }
     return checks;
 }
-export function buildRuntimeValidationTasks(unitManifest, criticalFlows, flowCoverage) {
+async function exists(path) {
+    try {
+        await access(path);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export async function discoverRuntimeValidationCommand(root) {
+    const packageJsonPath = `${root}/package.json`;
+    if (await exists(packageJsonPath)) {
+        try {
+            const packageJson = JSON.parse(await readFile(packageJsonPath, "utf8"));
+            const testScript = packageJson.scripts?.test?.trim();
+            if (testScript &&
+                !/no test specified/i.test(testScript)) {
+                return ["npm", "test"];
+            }
+        }
+        catch {
+            // ignore unreadable package.json for runtime discovery
+        }
+    }
+    if (await exists(`${root}/go.mod`)) {
+        return ["go", "test", "./..."];
+    }
+    if (await exists(`${root}/pyproject.toml`) || await exists(`${root}/pytest.ini`)) {
+        return ["python", "-m", "pytest"];
+    }
+    return undefined;
+}
+export function buildRuntimeValidationTasks(params) {
+    if (!params.command) {
+        return { tasks: [] };
+    }
     const tasks = [];
     const seen = new Set();
-    const highRiskUnits = unitManifest.units.filter((unit) => (unit.risk_score ?? 0) >= 5 ||
+    const highRiskUnits = params.unitManifest.units.filter((unit) => (unit.risk_score ?? 0) >= 5 ||
         unit.required_lenses.includes("security") ||
         unit.required_lenses.includes("data_integrity"));
     for (const unit of highRiskUnits) {
@@ -31,16 +67,17 @@ export function buildRuntimeValidationTasks(unitManifest, criticalFlows, flowCov
             target_paths: unit.files,
             reason: `Unit ${unit.unit_id} is high risk or touches sensitive concerns.`,
             priority: (unit.risk_score ?? 0) >= 7 ? "high" : "medium",
+            command: params.command,
             suggested_checks: [
-                "Run representative happy-path execution.",
-                "Run malformed-input or failure-path execution where feasible.",
+                "Run the deterministic runtime command for the repository.",
+                "Confirm the affected unit does not regress under the command output.",
             ],
             source_artifacts: ["unit_manifest.json", "risk_register.json"],
         });
     }
-    if (criticalFlows && flowCoverage) {
-        const flowMap = new Map(criticalFlows.flows.map((flow) => [flow.id, flow]));
-        for (const record of flowCoverage.flows) {
+    if (params.criticalFlows && params.flowCoverage) {
+        const flowMap = new Map(params.criticalFlows.flows.map((flow) => [flow.id, flow]));
+        for (const record of params.flowCoverage.flows) {
             if (record.status === "complete") {
                 continue;
             }
@@ -56,53 +93,28 @@ export function buildRuntimeValidationTasks(unitManifest, criticalFlows, flowCov
                 id,
                 kind: "critical-flow-check",
                 target_paths: flow.paths,
-                reason: `Critical flow ${record.flow_id} is still ${record.status} and should receive runtime validation.`,
+                reason: `Critical flow ${record.flow_id} is still ${record.status} and needs deterministic runtime validation.`,
                 priority: record.status === "pending" ? "high" : "medium",
+                command: params.command,
                 suggested_checks: checksForFlow(record.required_lenses),
                 source_artifacts: ["critical_flows.json", "flow_coverage.json"],
             });
         }
     }
-    const RUNTIME_TASK_CAP = 100;
-    if (tasks.length > RUNTIME_TASK_CAP) {
-        process.stderr.write(`[runtime-validation] generated ${tasks.length} tasks which exceeds the cap of ${RUNTIME_TASK_CAP}; truncating to avoid runaway expansion\n`);
-        tasks.splice(RUNTIME_TASK_CAP);
-    }
     return { tasks };
 }
-export function buildPlaceholderRuntimeValidationReport(tasks) {
-    return {
-        results: tasks.tasks.map((task) => ({
-            task_id: task.id,
-            status: "pending",
-            summary: `No runtime evidence recorded yet for ${task.id}.`,
-            evidence: [],
-            notes: ["Placeholder entry generated from runtime validation task list."],
-        })),
-    };
-}
 export function mergeRuntimeValidationReport(tasks, existing) {
     const existingMap = new Map((existing?.results ?? []).map((result) => [result.task_id, result]));
-    const mergedResults = tasks.tasks.map((task) => {
-        const prior = existingMap.get(task.id);
-        if (prior) {
-            return {
-                ...prior,
-                notes: [
-                    ...new Set([
-                        ...(prior.notes ?? []),
-                        "Preserved across runtime validation refresh.",
-                    ]),
-                ],
-            };
-        }
-        return {
-            task_id: task.id,
-            status: "pending",
-            summary: `No runtime evidence recorded yet for ${task.id}.`,
-            evidence: [],
-            notes: ["Placeholder entry generated from runtime validation task list."],
-        };
-    });
-    return { results: mergedResults };
+    return {
+        results: tasks.tasks.map((task) => {
+            const prior = existingMap.get(task.id);
+            return (prior ?? {
+                task_id: task.id,
+                status: "pending",
+                summary: `Deterministic runtime validation has not executed yet for ${task.id}.`,
+                evidence: [],
+                notes: [],
+            });
+        }),
+    };
 }