auditor-lambda 0.2.5 → 0.2.8

package/dist/orchestrator/runtimeValidationUpdate.js

@@ -38,11 +38,9 @@ export function updateRuntimeValidationReport(tasks, existing, updates) {
             merged.set(task.id, {
                 task_id: task.id,
                 status: "pending",
-                summary: `No runtime evidence recorded yet for ${task.id}.`,
+                summary: `Deterministic runtime validation has not executed yet for ${task.id}.`,
                 evidence: [],
-                notes: [
-                    "Placeholder entry generated from runtime validation task list.",
-                ],
+                notes: [],
             });
         }
     }

package/dist/orchestrator/state.js

@@ -43,23 +43,40 @@ export function deriveAuditState(bundle) {
         "requeue_tasks.json",
     ], planningReady)));
     const hasRequiredCoverage = bundle.coverage_matrix?.files.every((f) => f.required_lenses.every((req) => f.completed_lenses.includes(req))) ?? true;
+    const hasCompletedTaskStatuses = bundle.audit_tasks?.length
+        ? bundle.audit_tasks.every((task) => task.status === "complete")
+        : false;
+    const hasResultForEveryTask = bundle.audit_tasks?.length && bundle.audit_results
+        ? bundle.audit_tasks.every((task) => bundle.audit_results?.some((result) => result.task_id === task.task_id))
+        : false;
     if (!hasRequiredCoverage &&
+        !hasCompletedTaskStatuses &&
+        !hasResultForEveryTask &&
         has(bundle.audit_tasks) &&
         (bundle.audit_tasks?.length ?? 0) > 0) {
         obligations.push(obligation("audit_tasks_completed", "missing"));
     }
-    else if (hasRequiredCoverage && has(bundle.audit_tasks)) {
+    else if ((hasRequiredCoverage || hasCompletedTaskStatuses || hasResultForEveryTask) &&
+        has(bundle.audit_tasks)) {
         obligations.push(obligation("audit_tasks_completed", "satisfied"));
     }
-    obligations.push(obligation("audit_results_ingested", has(bundle.audit_results) ? "present" : "missing"));
-    obligations.push(obligation("runtime_validation_current", staleOrSatisfied(staleArtifacts, ["runtime_validation_report.json"], has(bundle.runtime_validation_report))));
-    obligations.push(obligation("synthesis_current", staleOrSatisfied(staleArtifacts, [
-        "merged_findings.json",
-        "root_cause_clusters.json",
-        "synthesis_report.json",
-    ], has(bundle.merged_findings) &&
-        has(bundle.root_cause_clusters) &&
-        has(bundle.synthesis_report))));
+    obligations.push(obligation("audit_results_ingested", (bundle.audit_tasks?.length ?? 0) === 0 || has(bundle.audit_results)
+        ? "present"
+        : "missing"));
+    const runtimeTasks = bundle.runtime_validation_tasks?.tasks ?? [];
+    const runtimeResults = bundle.runtime_validation_report?.results ?? [];
+    const runtimeReady = runtimeTasks.length === 0 ||
+        (runtimeTasks.length > 0 &&
+            runtimeTasks.every((task) => runtimeResults.some((result) => result.task_id === task.id &&
+                result.status !== "pending")));
+    obligations.push(obligation("runtime_validation_current", runtimeReady
+        ? "satisfied"
+        : has(bundle.runtime_validation_report)
+            ? "missing"
+            : "missing", runtimeTasks.length === 0
+        ? "No deterministic runtime validation tasks were planned."
+        : undefined));
+    obligations.push(obligation("synthesis_current", staleOrSatisfied(staleArtifacts, ["audit-report.md"], has(bundle.audit_report))));
     let status = "not_started";
     if (!has(bundle.repo_manifest)) {
         status = "not_started";
@@ -71,10 +88,7 @@ export function deriveAuditState(bundle) {
         status = "active";
     }
     const incomplete = obligations.some((o) => o.state === "missing" || o.state === "stale");
-    if (!incomplete &&
-        has(bundle.synthesis_report) &&
-        has(bundle.merged_findings) &&
-        has(bundle.root_cause_clusters)) {
+    if (!incomplete && has(bundle.audit_report)) {
         status = "complete";
     }
     return {

package/dist/orchestrator/taskBuilder.js

@@ -1,3 +1,4 @@
+import { isTrivialAuditPath } from "./trivialAudit.js";
 function taskPriority(hasExternalSignal, lens) {
     if (hasExternalSignal &&
         (lens === "security" || lens === "data_integrity" || lens === "reliability")) {
@@ -57,12 +58,13 @@ export function buildChunkedAuditTasks(unitManifest, unitLineIndex, options = {}
             const hasExternalSignal = unit.files.some((f) => externalPaths.has(f));
             const priority = taskPriority(hasExternalSignal, lens);
             const tags = hasExternalSignal ? ["external_analyzer_signal"] : [];
+            const candidateFiles = unit.files.filter((filePath) => !isTrivialAuditPath(filePath, unitLineIndex[filePath] ?? 0, externalPaths.has(filePath)));
             // Split files that are individually too large to group; everything else
             // goes into one task so the agent can reason across file boundaries.
             const oversizedFiles = fileSplitThreshold > 0
-                ? unit.files.filter((f) => (unitLineIndex[f] ?? 0) > fileSplitThreshold)
+                ? candidateFiles.filter((f) => (unitLineIndex[f] ?? 0) > fileSplitThreshold)
                 : [];
-            const normalFiles = unit.files.filter((f) => !oversizedFiles.includes(f));
+            const normalFiles = candidateFiles.filter((f) => !oversizedFiles.includes(f));
             // One task for all normal-sized files in this unit under this lens.
             if (normalFiles.length > 0) {
                 const id = `${unit.unit_id}:${lens}`;

package/dist/orchestrator/trivialAudit.d.ts

@@ -0,0 +1,4 @@
+import type { CoverageMatrix } from "../types.js";
+import type { ExternalAnalyzerResults } from "../types/externalAnalyzer.js";
+export declare function isTrivialAuditPath(path: string, lineCount: number, hasExternalSignal?: boolean): boolean;
+export declare function autoCompleteTrivialCoverage(coverage: CoverageMatrix, lineIndex: Record<string, number>, externalAnalyzerResults?: ExternalAnalyzerResults): string[];

package/dist/orchestrator/trivialAudit.js

@@ -0,0 +1,49 @@
+const TRIVIAL_DOTFILES = new Set([".gitignore", ".gitattributes"]);
+function basename(path) {
+    const normalized = path.replaceAll("\\", "/");
+    const parts = normalized.split("/");
+    return parts[parts.length - 1] ?? normalized;
+}
+export function isTrivialAuditPath(path, lineCount, hasExternalSignal = false) {
+    if (hasExternalSignal) {
+        return false;
+    }
+    if (lineCount === 0) {
+        return true;
+    }
+    const name = basename(path).toLowerCase();
+    if (TRIVIAL_DOTFILES.has(name)) {
+        return true;
+    }
+    // Empty package markers and docstring-only __init__.py files create a lot of
+    // audit churn without adding meaningful coverage signal.
+    if (name === "__init__.py" && lineCount <= 3) {
+        return true;
+    }
+    if (lineCount <= 1) {
+        return true;
+    }
+    return false;
+}
+export function autoCompleteTrivialCoverage(coverage, lineIndex, externalAnalyzerResults) {
+    const externalPaths = new Set((externalAnalyzerResults?.results ?? []).map((item) => item.path));
+    const skipped = [];
+    for (const file of coverage.files) {
+        if (file.audit_status === "excluded") {
+            continue;
+        }
+        if (!isTrivialAuditPath(file.path, lineIndex[file.path] ?? 0, externalPaths.has(file.path))) {
+            continue;
+        }
+        if (file.required_lenses.length === 0) {
+            continue;
+        }
+        file.completed_lenses = [];
+        file.required_lenses = [];
+        file.audit_status = "excluded";
+        file.classification_status = "excluded_trivial";
+        file.unit_ids = [];
+        skipped.push(file.path);
+    }
+    return skipped.sort();
+}

package/dist/prompts/renderWorkerPrompt.js

@@ -20,12 +20,16 @@ export function renderWorkerPrompt(task) {
             "  2. Review the content under the specified lens.",
             "  3. Emit one AuditResult with:",
             "       task_id, unit_id, pass_id, lens",
-            "       reviewed_ranges: [{path, start, end}] covering what you read",
+            "       file_coverage: [{path, total_lines}] for every assigned file you reviewed",
             "       findings: array (empty if nothing found)",
+            "     total_lines must match the file's current total line count.",
             "     Each finding must include:",
             "       id, title, category, severity, confidence, lens, summary, affected_files,",
-            "       evidence (at least one excerpt or line reference from the file you read)",
+            "       evidence (an array of plain strings only, at least one excerpt or line reference from the file you read)",
+            "       Example evidence entry: src/foo.ts:42 - variable overwritten before use",
             "     Optional finding fields: impact, likelihood, reproduction, systemic, related_findings",
+            "     Low-priority tasks still require a real review. Use findings: [] only when you genuinely found nothing notable.",
+            `Reference schema: ${task.artifacts_dir}/dispatch/audit-result.schema.json`,
             `Write the AuditResult[] JSON array to: ${task.audit_results_path}`,
         ];
         if (task.skip_worker_command) {

package/dist/providers/spawnLoggedCommand.js

@@ -11,14 +11,25 @@ export async function spawnLoggedCommand(command, args, input, env) {
     return await new Promise((resolve, reject) => {
         const stdoutLog = createWriteStream(input.stdoutPath, { flags: "a" });
         const stderrLog = createWriteStream(input.stderrPath, { flags: "a" });
+        const startedAt = Date.now();
+        let timedOut = false;
         const child = spawn(command, args, {
             cwd: input.repoRoot,
             env: { ...process.env, ...env },
             stdio: ["ignore", "pipe", "pipe"],
         });
         const timer = setTimeout(() => {
+            timedOut = true;
             child.kill("SIGTERM");
         }, input.timeoutMs);
+        const heartbeat = setInterval(() => {
+            const elapsedMs = Date.now() - startedAt;
+            const message = `[provider] run ${input.runId} still running after ${elapsedMs}ms\n`;
+            tee(stderrLog, message);
+            if (input.uiMode === "visible") {
+                process.stderr.write(message);
+            }
+        }, 30_000);
         child.stdout.on("data", (chunk) => {
             tee(stdoutLog, chunk);
             if (input.uiMode === "visible") {
@@ -33,14 +44,20 @@ export async function spawnLoggedCommand(command, args, input, env) {
         });
         child.on("error", (error) => {
             clearTimeout(timer);
+            clearInterval(heartbeat);
             stdoutLog.end();
             stderrLog.end();
             reject(error);
         });
         child.on("exit", (code, signal) => {
             clearTimeout(timer);
+            clearInterval(heartbeat);
             stdoutLog.end();
             stderrLog.end();
+            if (timedOut) {
+                reject(new Error(`Fresh session timed out after ${input.timeoutMs}ms for run ${input.runId}.`));
+                return;
+            }
             resolve({
                 accepted: true,
                 processId: child.pid,

package/dist/reporting/mergeFindings.js

@@ -42,7 +42,9 @@ function runtimeSummary(report) {
     if (!report) {
         return [];
     }
-    return report.results.map((result) => `${result.task_id}: ${result.status} — ${result.summary}`);
+    return report.results
+        .filter((result) => result.status !== "pending")
+        .map((result) => `${result.task_id}: ${result.status} — ${result.summary}`);
 }
 function externalSummary(results) {
     if (!results) {
@@ -80,9 +82,6 @@ export function mergeFindings(results, runtimeReport, externalAnalyzerResults) {
                             ...analyzerEvidence,
                         ]),
                     ],
-                    related_findings: [
-                        ...new Set([...(finding.related_findings ?? []), finding.id]),
-                    ],
                 });
                 continue;
             }
@@ -108,13 +107,6 @@ export function mergeFindings(results, runtimeReport, externalAnalyzerResults) {
                     ...analyzerEvidence,
                 ]),
             ];
-            existing.related_findings = [
-                ...new Set([
-                    ...(existing.related_findings ?? []),
-                    ...(finding.related_findings ?? []),
-                    finding.id,
-                ]),
-            ];
         }
     }
     return [...merged.values()].sort((a, b) => {

package/dist/reporting/rootCause.js

@@ -29,14 +29,94 @@ function summarizeExternal(results) {
         return "No external analyzer signals attached.";
     return `${results.tool}:${results.results.length}`;
 }
+const STOP_WORDS = new Set([
+    "a",
+    "an",
+    "and",
+    "are",
+    "be",
+    "by",
+    "for",
+    "from",
+    "in",
+    "into",
+    "is",
+    "missing",
+    "not",
+    "of",
+    "on",
+    "or",
+    "that",
+    "the",
+    "this",
+    "to",
+    "under",
+    "when",
+    "with",
+]);
+function normalizeToken(token) {
+    if (token.endsWith("ies") && token.length > 4) {
+        return `${token.slice(0, -3)}y`;
+    }
+    if (token.endsWith("ing") && token.length > 6) {
+        return token.slice(0, -3);
+    }
+    if (token.endsWith("ed") && token.length > 5) {
+        return token.slice(0, -2);
+    }
+    if (token.endsWith("s") && token.length > 4) {
+        return token.slice(0, -1);
+    }
+    return token;
+}
+function extractSemanticTerms(finding) {
+    const source = [
+        finding.title,
+        finding.summary,
+        ...(finding.evidence ?? []).slice(0, 2),
+    ]
+        .join(" ")
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, " ");
+    const terms = source
+        .split(/\s+/)
+        .map(normalizeToken)
+        .filter((token) => token.length >= 3 &&
+        !STOP_WORDS.has(token) &&
+        token !== finding.lens &&
+        token !== finding.category &&
+        !/^\d+$/.test(token));
+    return [...new Set(terms)];
+}
 function clusterKey(finding) {
-    const primaryPath = finding.affected_files[0]?.path ?? "";
-    const pathPrefix = primaryPath.split("/").slice(0, 2).join("/");
-    return `${finding.lens}:${finding.category}:${pathPrefix}`;
+    const semanticTerms = extractSemanticTerms(finding).slice(0, 3).join(" ");
+    return `${finding.lens}:${finding.category}:${semanticTerms || finding.title.toLowerCase()}`;
+}
+function representativeFinding(grouped) {
+    return [...grouped].sort((a, b) => {
+        const severityDelta = severityRank(b.severity) - severityRank(a.severity);
+        if (severityDelta !== 0)
+            return severityDelta;
+        const systemicDelta = Number(Boolean(b.systemic)) - Number(Boolean(a.systemic));
+        if (systemicDelta !== 0)
+            return systemicDelta;
+        return a.title.localeCompare(b.title);
+    })[0];
+}
+function titleForCluster(grouped) {
+    return representativeFinding(grouped).title;
 }
-function titleForCluster(key) {
-    const [lens, category, scope] = key.split(":");
-    return `${lens}/${category}${scope ? ` in ${scope}` : ""}`;
+function summarizeFiles(grouped) {
+    const paths = [
+        ...new Set(grouped.flatMap((finding) => finding.affected_files.map((file) => file.path))),
+    ].sort();
+    if (paths.length === 0) {
+        return "no representative files recorded";
+    }
+    if (paths.length <= 3) {
+        return paths.join(", ");
+    }
+    return `${paths.slice(0, 3).join(", ")}, +${paths.length - 3} more`;
 }
 export function buildRootCauseClusters(findings, runtimeReport, externalAnalyzerResults) {
     const groups = new Map();
@@ -50,12 +130,15 @@ export function buildRootCauseClusters(findings, runtimeReport, externalAnalyzer
     const externalSummary = summarizeExternal(externalAnalyzerResults);
     return [...groups.entries()]
         .map(([key, grouped], index) => {
-        const highestSeverity = grouped.reduce((max, finding) => Math.max(max, severityRank(finding.severity)), 1);
+        const representative = representativeFinding(grouped);
         const systemicCount = grouped.filter((finding) => finding.systemic).length;
+        const theme = key.split(":").slice(2).join(":") || representative.title;
         return {
             id: `cluster-${index + 1}`,
-            title: titleForCluster(key),
-            summary: `Grouped ${grouped.length} finding(s); highest severity ${highestSeverity}; systemic flags ${systemicCount}. Runtime validation status: ${runtimeSummary}. External analyzer summary: ${externalSummary}.`,
+            title: titleForCluster(grouped),
+            summary: `Theme "${theme}" groups ${grouped.length} finding(s) across ${summarizeFiles(grouped)}; ` +
+                `highest severity ${representative.severity}; systemic flags ${systemicCount}. ` +
+                `Runtime validation status: ${runtimeSummary}. External analyzer summary: ${externalSummary}.`,
             finding_ids: grouped.map((finding) => finding.id),
         };
     })

package/dist/reporting/synthesis.d.ts

@@ -1,24 +1,27 @@
-import type { AuditResult } from "../types.js";
-import type { ExternalAnalyzerResults } from "../types/externalAnalyzer.js";
+import type { AuditResult, CoverageMatrix, Finding, UnitManifest } from "../types.js";
+import type { CriticalFlowManifest } from "../types/flows.js";
+import type { GraphBundle } from "../types/graph.js";
 import type { RuntimeValidationReport } from "../types/runtimeValidation.js";
-import { mergeFindings } from "./mergeFindings.js";
-import { buildRootCauseClusters } from "./rootCause.js";
-import { buildWorkBlocks } from "./workBlocks.js";
-export interface SynthesisReport {
-    summary: {
-        finding_count: number;
-        cluster_count: number;
-        work_block_count: number;
-        runtime_validation_status_breakdown: Record<string, number>;
-        notes: string[];
-        severity_breakdown: Record<string, number>;
-        external_analyzer_summary: {
-            tool_count: number;
-            result_count: number;
-        };
-    };
-    merged_findings: ReturnType<typeof mergeFindings>;
-    root_cause_clusters: ReturnType<typeof buildRootCauseClusters>;
-    work_blocks: ReturnType<typeof buildWorkBlocks>;
+import { type WorkBlock } from "./workBlocks.js";
+export interface AuditReportSummary {
+    finding_count: number;
+    work_block_count: number;
+    severity_breakdown: Record<string, number>;
+    audited_file_count: number;
+    excluded_file_count: number;
+    runtime_validation_status_breakdown: Record<string, number>;
 }
-export declare function buildSynthesisReport(results: AuditResult[], runtimeReport?: RuntimeValidationReport, externalAnalyzerResults?: ExternalAnalyzerResults): SynthesisReport;
+export interface AuditReportModel {
+    summary: AuditReportSummary;
+    findings: Finding[];
+    work_blocks: WorkBlock[];
+}
+export declare function buildAuditReportModel(params: {
+    results: AuditResult[];
+    unitManifest?: UnitManifest;
+    graphBundle?: GraphBundle;
+    criticalFlows?: CriticalFlowManifest;
+    coverageMatrix?: CoverageMatrix;
+    runtimeValidationReport?: RuntimeValidationReport;
+}): AuditReportModel;
+export declare function renderAuditReportMarkdown(model: AuditReportModel): string;

package/dist/reporting/synthesis.js

@@ -1,13 +1,5 @@
-import { mergeFindings } from "./mergeFindings.js";
-import { buildRootCauseClusters } from "./rootCause.js";
 import { buildWorkBlocks } from "./workBlocks.js";
-function statusBreakdown(report) {
-    const breakdown = {};
-    for (const result of report?.results ?? []) {
-        breakdown[result.status] = (breakdown[result.status] ?? 0) + 1;
-    }
-    return breakdown;
-}
+import { mergeFindings } from "./mergeFindings.js";
 function severityBreakdown(findings) {
     const breakdown = {};
     for (const finding of findings) {
@@ -15,63 +7,104 @@ function severityBreakdown(findings) {
     }
     return breakdown;
 }
-function zeroFindingLensNotes(results) {
-    const tasksByLens = new Map();
-    const findingsByLens = new Map();
-    for (const result of results) {
-        tasksByLens.set(result.lens, (tasksByLens.get(result.lens) ?? 0) + 1);
-        findingsByLens.set(result.lens, (findingsByLens.get(result.lens) ?? 0) + result.findings.length);
+function runtimeStatusBreakdown(report) {
+    const breakdown = {};
+    for (const result of report?.results ?? []) {
+        breakdown[result.status] = (breakdown[result.status] ?? 0) + 1;
     }
-    const zeroLenses = [...tasksByLens.entries()]
-        .filter(([lens, count]) => count > 0 && (findingsByLens.get(lens) ?? 0) === 0)
-        .map(([lens]) => lens)
-        .sort();
-    if (zeroLenses.length === 0)
-        return [];
-    return [
-        `Zero findings across all reviewed tasks for lens(es): ${zeroLenses.join(", ")}. Verify these tasks were genuinely reviewed rather than batch-generated.`,
-    ];
+    return breakdown;
 }
-function externalSummary(results) {
-    if (!results) {
-        return { tool_count: 0, result_count: 0 };
-    }
+function coverageSummary(coverage) {
+    const files = coverage?.files ?? [];
     return {
-        tool_count: results.tool ? 1 : 0,
-        result_count: results.results.length,
+        audited_file_count: files.filter((file) => file.audit_status === "complete").length,
+        excluded_file_count: files.filter((file) => file.audit_status === "excluded").length,
     };
 }
-export function buildSynthesisReport(results, runtimeReport, externalAnalyzerResults) {
-    const merged_findings = mergeFindings(results, runtimeReport, externalAnalyzerResults);
-    const root_cause_clusters = buildRootCauseClusters(merged_findings, runtimeReport, externalAnalyzerResults);
-    const work_blocks = buildWorkBlocks(merged_findings);
-    const runtimeBreakdown = statusBreakdown(runtimeReport);
-    const sevBreakdown = severityBreakdown(merged_findings);
-    const extSummary = externalSummary(externalAnalyzerResults);
+function formatSeverityList(summary) {
+    const ordered = ["critical", "high", "medium", "low", "info"];
+    const parts = ordered
+        .filter((severity) => (summary[severity] ?? 0) > 0)
+        .map((severity) => `${severity}: ${summary[severity]}`);
+    return parts.length > 0 ? parts.join(", ") : "none";
+}
+export function buildAuditReportModel(params) {
+    const findings = mergeFindings(params.results, params.runtimeValidationReport);
+    const workBlocks = buildWorkBlocks({
+        findings,
+        unitManifest: params.unitManifest,
+        graphBundle: params.graphBundle,
+        criticalFlows: params.criticalFlows,
+    });
+    const coverage = coverageSummary(params.coverageMatrix);
     return {
         summary: {
-            finding_count: merged_findings.length,
-            cluster_count: root_cause_clusters.length,
-            work_block_count: work_blocks.length,
-            runtime_validation_status_breakdown: runtimeBreakdown,
-            severity_breakdown: sevBreakdown,
-            external_analyzer_summary: extSummary,
-            notes: [
-                ...(Object.keys(runtimeBreakdown).length === 0
-                    ? ["No runtime validation evidence attached."]
-                    : [
-                        "Runtime validation evidence has been incorporated into synthesis.",
-                    ]),
-                ...(extSummary.result_count > 0
-                    ? [
-                        `External analyzer signals incorporated: ${extSummary.result_count} result(s) from ${externalAnalyzerResults?.tool}.`,
-                    ]
-                    : []),
-                ...zeroFindingLensNotes(results),
-            ],
+            finding_count: findings.length,
+            work_block_count: workBlocks.length,
+            severity_breakdown: severityBreakdown(findings),
+            audited_file_count: coverage.audited_file_count,
+            excluded_file_count: coverage.excluded_file_count,
+            runtime_validation_status_breakdown: runtimeStatusBreakdown(params.runtimeValidationReport),
         },
-        merged_findings,
-        root_cause_clusters,
-        work_blocks,
+        findings,
+        work_blocks: workBlocks,
     };
 }
+export function renderAuditReportMarkdown(model) {
+    const lines = [
+        "# Audit Report",
+        "",
+        "## Summary",
+        "",
+        `- Findings: ${model.summary.finding_count}`,
+        `- Work blocks: ${model.summary.work_block_count}`,
+        `- Severity breakdown: ${formatSeverityList(model.summary.severity_breakdown)}`,
+        `- Fully audited files: ${model.summary.audited_file_count}`,
+        `- Excluded non-auditable files: ${model.summary.excluded_file_count}`,
+        "",
+        "## Work Blocks",
+        "",
+    ];
+    if (model.work_blocks.length === 0) {
+        lines.push("No remediation work blocks were generated.", "");
+    }
+    else {
+        for (const block of model.work_blocks) {
+            lines.push(`### ${block.id}`);
+            lines.push("");
+            lines.push(`- Max severity: ${block.max_severity}`);
+            lines.push(`- Units: ${block.unit_ids.join(", ")}`);
+            lines.push(`- Owned files: ${block.owned_files.join(", ")}`);
+            lines.push(`- Findings: ${block.finding_ids.join(", ")}`);
+            lines.push(`- Depends on: ${block.depends_on.length > 0 ? block.depends_on.join(", ") : "none"}`);
+            lines.push(`- Rationale: ${block.rationale}`);
+            lines.push("");
+        }
+    }
+    lines.push("## Findings", "");
+    if (model.findings.length === 0) {
+        lines.push("No findings were recorded.", "");
+    }
+    else {
+        for (const finding of model.findings) {
+            lines.push(`### ${finding.id} — ${finding.title}`);
+            lines.push("");
+            lines.push(`- Severity: ${finding.severity}`);
+            lines.push(`- Confidence: ${finding.confidence}`);
+            lines.push(`- Lens: ${finding.lens}`);
+            lines.push(`- Files: ${finding.affected_files.map((file) => file.path).join(", ")}`);
+            lines.push(`- Summary: ${finding.summary}`);
+            if (finding.evidence && finding.evidence.length > 0) {
+                lines.push("- Evidence:");
+                for (const evidence of finding.evidence) {
+                    lines.push(`  - ${evidence}`);
+                }
+            }
+            lines.push("");
+        }
+    }
+    lines.push("## Scope and Coverage", "");
+    lines.push("This report is deterministic output from the completed audit. Non-auditable files were excluded from scope before task generation.");
+    lines.push("");
+    return lines.join("\n");
+}

package/dist/reporting/workBlocks.d.ts

@@ -1,9 +1,18 @@
-import type { Finding } from "../types.js";
+import type { Finding, UnitManifest } from "../types.js";
+import type { CriticalFlowManifest } from "../types/flows.js";
+import type { GraphBundle } from "../types/graph.js";
 export interface WorkBlock {
     id: string;
     finding_ids: string[];
-    affected_files: string[];
+    unit_ids: string[];
+    owned_files: string[];
     max_severity: Finding["severity"];
     rationale: string;
+    depends_on: string[];
 }
-export declare function buildWorkBlocks(findings: Finding[]): WorkBlock[];
+export declare function buildWorkBlocks(params: {
+    findings: Finding[];
+    unitManifest?: UnitManifest;
+    graphBundle?: GraphBundle;
+    criticalFlows?: CriticalFlowManifest;
+}): WorkBlock[];