auditor-lambda 0.2.5 → 0.2.8

package/dist/validation/auditResults.js

@@ -9,77 +9,193 @@ const REQUIRED_FINDING_FIELDS = [
 ];
 const VALID_SEVERITIES = new Set(["critical", "high", "medium", "low", "info"]);
 const VALID_CONFIDENCES = new Set(["high", "medium", "low"]);
+const VALID_LENSES = new Set([
+    "correctness",
+    "architecture",
+    "maintainability",
+    "security",
+    "reliability",
+    "performance",
+    "data_integrity",
+    "tests",
+    "operability",
+    "config_deployment",
+]);
+function pushIssue(issues, params) {
+    issues.push({
+        ...params,
+        severity: params.severity ?? "error",
+    });
+}
+function describeValue(value) {
+    if (Array.isArray(value)) {
+        return "array";
+    }
+    if (value === null) {
+        return "null";
+    }
+    return typeof value;
+}
+function isRecord(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isNonEmptyString(value) {
+    return typeof value === "string" && value.trim().length > 0;
+}
+function issueTaskId(record, resultIndex) {
+    const taskId = record.task_id;
+    return typeof taskId === "string" && taskId.trim().length > 0
+        ? taskId
+        : `result[${resultIndex}]`;
+}
+function validateRequiredStringField(value, label, taskId, resultIndex, issues) {
+    if (typeof value !== "string") {
+        pushIssue(issues, {
+            result_index: resultIndex,
+            task_id: taskId,
+            field: label,
+            message: `${label} must be a string, got ${describeValue(value)}.`,
+        });
+        return;
+    }
+    if (value.trim().length === 0) {
+        pushIssue(issues, {
+            result_index: resultIndex,
+            task_id: taskId,
+            field: label,
+            message: `${label} must not be empty.`,
+        });
+    }
+}
 function validateFinding(finding, label, taskId, resultIndex) {
     const issues = [];
+    if (!isRecord(finding)) {
+        pushIssue(issues, {
+            result_index: resultIndex,
+            task_id: taskId,
+            field: label,
+            message: `${label} must be an object, got ${describeValue(finding)}.`,
+        });
+        return issues;
+    }
     for (const field of REQUIRED_FINDING_FIELDS) {
-        const value = finding[field];
-        if (value === undefined || value === null || String(value).trim() === "") {
-            issues.push({
-                result_index: resultIndex,
-                task_id: taskId,
-                severity: "error",
-                field: `${label}.${field}`,
-                message: `Required field '${field}' is missing or empty.`,
-            });
-        }
+        validateRequiredStringField(finding[field], `${label}.${field}`, taskId, resultIndex, issues);
     }
-    if (finding.severity && !VALID_SEVERITIES.has(finding.severity)) {
-        issues.push({
+    if (typeof finding.severity === "string" &&
+        !VALID_SEVERITIES.has(finding.severity)) {
+        pushIssue(issues, {
             result_index: resultIndex,
             task_id: taskId,
-            severity: "error",
             field: `${label}.severity`,
             message: `Invalid severity '${finding.severity}'. Must be one of: ${[...VALID_SEVERITIES].join(", ")}.`,
         });
     }
-    if (finding.confidence && !VALID_CONFIDENCES.has(finding.confidence)) {
-        issues.push({
+    if (typeof finding.confidence === "string" &&
+        !VALID_CONFIDENCES.has(finding.confidence)) {
+        pushIssue(issues, {
             result_index: resultIndex,
             task_id: taskId,
-            severity: "error",
             field: `${label}.confidence`,
             message: `Invalid confidence '${finding.confidence}'. Must be one of: ${[...VALID_CONFIDENCES].join(", ")}.`,
         });
     }
-    if (!finding.affected_files || finding.affected_files.length === 0) {
-        issues.push({
+    if (typeof finding.lens === "string" && !VALID_LENSES.has(finding.lens)) {
+        pushIssue(issues, {
+            result_index: resultIndex,
+            task_id: taskId,
+            field: `${label}.lens`,
+            message: `Invalid lens '${finding.lens}'. Must be one of: ${[...VALID_LENSES].join(", ")}.`,
+        });
+    }
+    const affectedFiles = finding.affected_files;
+    if (!Array.isArray(affectedFiles) || affectedFiles.length === 0) {
+        pushIssue(issues, {
             result_index: resultIndex,
             task_id: taskId,
-            severity: "error",
             field: `${label}.affected_files`,
-            message: "affected_files is empty — at least one file location is required.",
+            message: "affected_files must be a non-empty array.",
         });
     }
     else {
-        for (let k = 0; k < finding.affected_files.length; k++) {
-            const af = finding.affected_files[k];
-            if (!af.path?.trim()) {
-                issues.push({
+        for (let k = 0; k < affectedFiles.length; k++) {
+            const item = affectedFiles[k];
+            if (!isRecord(item)) {
+                pushIssue(issues, {
+                    result_index: resultIndex,
+                    task_id: taskId,
+                    field: `${label}.affected_files[${k}]`,
+                    message: `affected_files[${k}] must be an object, got ${describeValue(item)}.`,
+                });
+                continue;
+            }
+            if (!isNonEmptyString(item.path)) {
+                pushIssue(issues, {
                     result_index: resultIndex,
                     task_id: taskId,
-                    severity: "error",
                     field: `${label}.affected_files[${k}].path`,
                     message: "affected_files entry has an empty path.",
                 });
             }
+            if (item.line_start !== undefined &&
+                !Number.isInteger(item.line_start)) {
+                pushIssue(issues, {
+                    result_index: resultIndex,
+                    task_id: taskId,
+                    field: `${label}.affected_files[${k}].line_start`,
+                    message: `affected_files[${k}].line_start must be an integer, got ${describeValue(item.line_start)}.`,
+                });
+            }
+            if (item.line_end !== undefined &&
+                !Number.isInteger(item.line_end)) {
+                pushIssue(issues, {
+                    result_index: resultIndex,
+                    task_id: taskId,
+                    field: `${label}.affected_files[${k}].line_end`,
+                    message: `affected_files[${k}].line_end must be an integer, got ${describeValue(item.line_end)}.`,
+                });
+            }
+            if (Number.isInteger(item.line_start) &&
+                Number.isInteger(item.line_end) &&
+                Number(item.line_start) > Number(item.line_end)) {
+                pushIssue(issues, {
+                    result_index: resultIndex,
+                    task_id: taskId,
+                    field: `${label}.affected_files[${k}]`,
+                    message: "affected_files line_start must be less than or equal to line_end.",
+                });
+            }
         }
     }
-    if (!finding.evidence || finding.evidence.length === 0) {
-        issues.push({
+    const evidence = finding.evidence;
+    if (!Array.isArray(evidence) || evidence.length === 0) {
+        pushIssue(issues, {
             result_index: resultIndex,
             task_id: taskId,
-            severity: "error",
             field: `${label}.evidence`,
-            message: "evidence is empty — at least one quoted or referenced excerpt from the reviewed file is required for every finding.",
+            message: "evidence is empty — provide an array of plain strings such as \"src/foo.ts:42 - variable overwritten before use\".",
         });
     }
     else {
-        const hasSubstantiveEntry = finding.evidence.some((e) => e.trim().length > 0);
+        let hasSubstantiveEntry = false;
+        for (let k = 0; k < evidence.length; k++) {
+            const entry = evidence[k];
+            if (typeof entry !== "string") {
+                pushIssue(issues, {
+                    result_index: resultIndex,
+                    task_id: taskId,
+                    field: `${label}.evidence[${k}]`,
+                    message: `evidence[${k}] must be a string, got ${describeValue(entry)}.`,
+                });
+                continue;
+            }
+            if (entry.trim().length > 0) {
+                hasSubstantiveEntry = true;
+            }
+        }
         if (!hasSubstantiveEntry) {
-            issues.push({
+            pushIssue(issues, {
                 result_index: resultIndex,
                 task_id: taskId,
-                severity: "error",
                 field: `${label}.evidence`,
                 message: "All evidence entries are empty strings.",
             });
@@ -87,26 +203,202 @@ function validateFinding(finding, label, taskId, resultIndex) {
     }
     return issues;
 }
-export function validateAuditResults(results, tasks) {
+function coversAffectedSpan(coverage, path, start, end) {
+    return coverage.some((entry) => entry.path === path &&
+        start > 0 &&
+        end > 0 &&
+        end <= entry.total_lines);
+}
+export function validateAuditResults(results, tasks, options = {}) {
     const issues = [];
-    const taskMap = new Map(tasks.map((t) => [t.task_id, t]));
+    const taskMap = new Map(tasks.map((task) => [task.task_id, task]));
+    if (!Array.isArray(results)) {
+        pushIssue(issues, {
+            result_index: -1,
+            task_id: "results",
+            field: "results",
+            message: `Audit results payload must be a JSON array, got ${describeValue(results)}.`,
+        });
+        return issues;
+    }
     for (let i = 0; i < results.length; i++) {
         const result = results[i];
-        const taskId = result.task_id ?? `result[${i}]`;
-        if (!result.reviewed_ranges || result.reviewed_ranges.length === 0) {
-            issues.push({
+        if (!isRecord(result)) {
+            pushIssue(issues, {
+                result_index: i,
+                task_id: `result[${i}]`,
+                field: `results[${i}]`,
+                message: `Each audit result must be an object, got ${describeValue(result)}.`,
+            });
+            continue;
+        }
+        const taskId = issueTaskId(result, i);
+        const task = taskMap.get(taskId);
+        validateRequiredStringField(result.task_id, "task_id", taskId, i, issues);
+        validateRequiredStringField(result.unit_id, "unit_id", taskId, i, issues);
+        validateRequiredStringField(result.pass_id, "pass_id", taskId, i, issues);
+        validateRequiredStringField(result.lens, "lens", taskId, i, issues);
+        if (typeof result.lens === "string" &&
+            !VALID_LENSES.has(result.lens)) {
+            pushIssue(issues, {
+                result_index: i,
+                task_id: taskId,
+                field: "lens",
+                message: `Invalid lens '${result.lens}'. Must be one of: ${[...VALID_LENSES].join(", ")}.`,
+            });
+        }
+        if (tasks.length > 0 && !task) {
+            pushIssue(issues, {
+                result_index: i,
+                task_id: taskId,
+                field: "task_id",
+                message: `Unknown task_id '${taskId}'. Use the active task manifest for valid ids: ` +
+                    tasks.map((item) => item.task_id).join(", "),
+            });
+        }
+        const fileCoverage = result.file_coverage;
+        const normalizedFileCoverage = [];
+        if (!Array.isArray(fileCoverage) || fileCoverage.length === 0) {
+            pushIssue(issues, {
                 result_index: i,
                 task_id: taskId,
-                severity: "error",
-                field: "reviewed_ranges",
-                message: "reviewed_ranges is empty — no proof of file reading was recorded. " +
-                    "Each result must include the line ranges actually read.",
+                field: "file_coverage",
+                message: "file_coverage is empty — each result must declare every assigned file it reviewed and the file's total line count.",
             });
         }
-        for (let j = 0; j < (result.findings ?? []).length; j++) {
-            const finding = result.findings[j];
+        else {
+            const seenCoveragePaths = new Set();
+            for (let j = 0; j < fileCoverage.length; j++) {
+                const entry = fileCoverage[j];
+                if (!isRecord(entry)) {
+                    pushIssue(issues, {
+                        result_index: i,
+                        task_id: taskId,
+                        field: `file_coverage[${j}]`,
+                        message: `file_coverage[${j}] must be an object, got ${describeValue(entry)}.`,
+                    });
+                    continue;
+                }
+                if (!isNonEmptyString(entry.path)) {
+                    pushIssue(issues, {
+                        result_index: i,
+                        task_id: taskId,
+                        field: `file_coverage[${j}].path`,
+                        message: "file_coverage entry has an empty path.",
+                    });
+                }
+                else if (task && !task.file_paths.includes(entry.path)) {
+                    pushIssue(issues, {
+                        result_index: i,
+                        task_id: taskId,
+                        severity: "warning",
+                        field: `file_coverage[${j}].path`,
+                        message: `file_coverage path '${entry.path}' is not listed in the task file_paths.`,
+                    });
+                }
+                else if (seenCoveragePaths.has(entry.path)) {
+                    pushIssue(issues, {
+                        result_index: i,
+                        task_id: taskId,
+                        field: `file_coverage[${j}].path`,
+                        message: `file_coverage path '${entry.path}' is duplicated. Declare each file once.`,
+                    });
+                }
+                else {
+                    seenCoveragePaths.add(entry.path);
+                }
+                if (!Number.isInteger(entry.total_lines)) {
+                    pushIssue(issues, {
+                        result_index: i,
+                        task_id: taskId,
+                        field: `file_coverage[${j}].total_lines`,
+                        message: `file_coverage[${j}].total_lines must be an integer, got ${describeValue(entry.total_lines)}.`,
+                    });
+                }
+                if (Number.isInteger(entry.total_lines) &&
+                    Number(entry.total_lines) <= 0) {
+                    pushIssue(issues, {
+                        result_index: i,
+                        task_id: taskId,
+                        field: `file_coverage[${j}].total_lines`,
+                        message: "file_coverage total_lines must be greater than zero.",
+                    });
+                }
+                const expectedLineCount = typeof entry.path === "string"
+                    ? options.lineIndex?.[entry.path]
+                    : undefined;
+                if (Number.isInteger(entry.total_lines) &&
+                    typeof expectedLineCount === "number" &&
+                    Number(entry.total_lines) !== expectedLineCount) {
+                    pushIssue(issues, {
+                        result_index: i,
+                        task_id: taskId,
+                        field: `file_coverage[${j}].total_lines`,
+                        message: `file_coverage[${j}].total_lines must match the current file line count for '${entry.path}' ` +
+                            `(expected ${expectedLineCount}, got ${entry.total_lines}).`,
+                    });
+                }
+                if (isNonEmptyString(entry.path) &&
+                    Number.isInteger(entry.total_lines) &&
+                    Number(entry.total_lines) > 0) {
+                    normalizedFileCoverage.push({
+                        path: entry.path,
+                        total_lines: Number(entry.total_lines),
+                    });
+                }
+            }
+            if (task) {
+                for (const path of task.file_paths) {
+                    if (!seenCoveragePaths.has(path)) {
+                        pushIssue(issues, {
+                            result_index: i,
+                            task_id: taskId,
+                            field: "file_coverage",
+                            message: `file_coverage must include every assigned file. Missing '${path}'.`,
+                        });
+                    }
+                }
+            }
+        }
+        const findings = result.findings;
+        if (!Array.isArray(findings)) {
+            pushIssue(issues, {
+                result_index: i,
+                task_id: taskId,
+                field: "findings",
+                message: `findings must be an array, got ${describeValue(findings)}.`,
+            });
+            continue;
+        }
+        for (let j = 0; j < findings.length; j++) {
             const label = `findings[${j}]`;
+            const finding = findings[j];
             issues.push(...validateFinding(finding, label, taskId, i));
+            if (!isRecord(finding) || !Array.isArray(finding.affected_files)) {
+                continue;
+            }
+            for (let k = 0; k < finding.affected_files.length; k++) {
+                const affected = finding.affected_files[k];
+                if (!isRecord(affected) || !isNonEmptyString(affected.path)) {
+                    continue;
+                }
+                if (!Number.isInteger(affected.line_start)) {
+                    continue;
+                }
+                const start = Number(affected.line_start);
+                const end = Number.isInteger(affected.line_end)
+                    ? Number(affected.line_end)
+                    : start;
+                if (!coversAffectedSpan(normalizedFileCoverage, affected.path, start, end)) {
+                    pushIssue(issues, {
+                        result_index: i,
+                        task_id: taskId,
+                        field: `${label}.affected_files[${k}]`,
+                        message: `affected_files line span ${affected.path}:${start}-${end} falls outside the declared file_coverage. ` +
+                            "Fix the affected_files location or correct file_coverage.total_lines.",
+                    });
+                }
+            }
         }
     }
     return issues;

package/docs/agent-integrations.md

@@ -26,8 +26,8 @@ The preferred bootstrap path is:
 audit-code install
 ```
 
-That installs repo-local `/audit-code` surfaces for VS Code / Copilot, OpenCode, Claude Code, and compatibility instruction files such as `AGENTS.md` and `CLAUDE.md`.
-It also writes `.audit-code/install/GETTING-STARTED.md` with dedicated quick-start sections for VS Code, OpenCode, Claude Code, Claude Desktop, and Antigravity.
+That installs repo-local `/audit-code` surfaces and MCP-oriented support assets for Codex, Claude Desktop, OpenCode, VS Code, and Antigravity.
+It also writes `.audit-code/install/GETTING-STARTED.md` with dedicated quick-start sections for each host plus `.audit-code/install/manifest.json` and a shared repo-local MCP launcher.
 
 Use one of these supported ways to obtain the raw prompt asset directly when you need prompt import instead:
 
@@ -44,58 +44,56 @@ This is the intended product surface.
 
 Use `/audit-code` in conversation, treat the active conversation model as the default model, and treat project files plus attached repository context as the default context.
 
-### GitHub Copilot
+### Codex
 
-Use `audit-code install` from the target repository root.
+Use `audit-code install --host codex` or the default `audit-code install` from the target repository root.
 
-That writes `.github/prompts/audit-code.prompt.md` and `.github/copilot-instructions.md` so the repository carries the canonical `/audit-code` instructions instead of relying on manual copy-paste.
-The generated prompt file explicitly sets `agent: agent` so `/audit-code` lands in the tool-capable Copilot agent flow.
+That writes a repo-local Codex skill bundle, updates `AGENTS.md` through a managed block when needed, and emits Codex-specific MCP setup guidance plus an automation recipe in `.audit-code/install/codex/`.
+The intended operator flow is still conversational first, with the generated skill and AGENTS guidance steering the active Codex session toward `/audit-code` and the MCP-backed workflow.
 
-The narrower `audit-code install-host --host copilot` alias still exists, but it is no longer the preferred setup path.
+The Codex automation recipe should still be treated as optional follow-through after the basic local flow is validated in the real app.
 
-### OpenCode
+### Claude Desktop
 
-Use `audit-code install` from the target repository root.
+Use `audit-code install --host claude-desktop` or the default `audit-code install` from the target repository root.
 
-That writes `.opencode/commands/audit-code.md` plus `AGENTS.md` and compatibility skills so `/audit-code` is available in the repository with no extra provider flags.
-The generated OpenCode command now sets `agent: build` and keeps the current model selection, which makes the slash command behave more like the intended autonomous editing flow.
-The generated `.audit-code/install/GETTING-STARTED.md` file also includes an OpenCode-specific quick start so the repo-local command path is obvious after bootstrap.
+This repository now treats Claude Desktop as an MCP-first host. The installer writes:
 
-### Claude Code
+- `.audit-code/install/claude-desktop/PROJECT-TEMPLATE.md`
+- `.audit-code/install/claude-desktop/remote-mcp-connector.json`
+- generated local bundle artifacts including `auditor-lambda.dxt` and `auditor-lambda.mcpb`
+
+The intended path is to install or reference the generated local MCP bundle, then use the shared prompt and project-template guidance to run `/audit-code` conversationally.
+Manual prompt import remains a fallback, not the primary documented path.
+
+### OpenCode
 
 Use `audit-code install` from the target repository root.
 
-That writes `.claude/commands/audit-code.md`, `CLAUDE.md`, and compatibility skills so `/audit-code` is available in the repository with no extra provider flags.
-The generated `.audit-code/install/GETTING-STARTED.md` file also includes a Claude Code-specific quick start so the repo-local command path is obvious after bootstrap.
+That writes `.opencode/commands/audit-code.md`, a repo-local OpenCode skill bundle, and `opencode.json` so `/audit-code` is available in the repository with no extra provider flags.
+The generated OpenCode assets also point OpenCode toward the shared auditor MCP server instead of rebuilding backend state ad hoc.
 
 ### VS Code
 
 Run `audit-code install` from the target repository root, then open `.audit-code/install/GETTING-STARTED.md` if you want the exact repo-local path that bootstrap created for VS Code chat surfaces.
 
+That writes `.github/prompts/audit-code.prompt.md`, `.github/copilot-instructions.md`, `.github/agents/auditor.agent.md`, and `.vscode/mcp.json`.
 The expected happy path is still to invoke `/audit-code` from chat, not to start from the backend CLI.
 
-### Claude Desktop
-
-Run `audit-code install` from the target repository root, then open `.audit-code/install/GETTING-STARTED.md`.
-
-There is no verified project-local slash-command install surface for Claude Desktop in this repository today, so the intended path is:
-
-1. import `.audit-code/install/audit-code.import.md` into Claude Desktop's prompt or instruction surface
-2. invoke `/audit-code` conversationally inside Claude Desktop
-
 ### Antigravity
 
 Run `audit-code install` from the target repository root, then open `.audit-code/install/GETTING-STARTED.md`.
 
-There is no verified repo-local slash-command install surface for Antigravity in this repository today, so the intended path is:
+There is still no documented native repo-local saved-workflow surface for Antigravity in this repository today, so the intended path is:
 
-1. import `.audit-code/install/audit-code.import.md` into Antigravity's prompt or instruction surface when available
-2. invoke `/audit-code` conversationally inside Antigravity
-3. fall back to `audit-code` from an Antigravity-managed terminal only when you intentionally need the repo-local backend wrapper
+1. use the generated planning-mode and MCP setup guidance
+2. invoke `/audit-code` conversationally inside Antigravity when the host surface allows it
+3. use the shared MCP tools and resources when structured state exchange is needed
+4. fall back to `audit-code` from an Antigravity-managed terminal only when you intentionally need the repo-local backend wrapper
 
 ### Similar manual-import hosts
 
-Use the same installed prompt asset and repo-local guide pattern as Claude Desktop and Antigravity.
+Use the same installed prompt asset and repo-local guide pattern as Antigravity, or the same MCP-first bundle pattern as Claude Desktop, depending on what the host actually supports.
 
 The backend CLI remains optional fallback infrastructure.
 
@@ -224,6 +222,17 @@ Current recommended usage is one of these:
 
 That keeps the product usable in Antigravity now without pretending that a native adapter already exists.
 
+## Remaining steps
+
+The current implementation shipped the shared installer and MCP substrate. The remaining work is operational validation and fit-and-finish, not a fresh redesign.
+
+Highest-value follow-through:
+
+1. validate the generated Codex, Claude Desktop, OpenCode, and VS Code assets inside the real products they target
+2. tighten generated quick-start guidance anywhere those host smoke tests expose ambiguity
+3. document exactly how Antigravity artifacts should map into `import_results` and `import_runtime_updates`
+4. keep host claims conservative until those end-to-end product checks are complete
+
 ## Model-selection rule
 
 The product direction remains skill-first:

package/docs/artifacts.md

@@ -1,8 +1,10 @@
-# Core artifacts
+# Core Artifacts
 
-These JSON artifacts are the stable contract between deterministic tooling and LLM audit passes.
+This document follows [audit-goals.md](C:/Code/auditor-lambda/spec/audit-goals.md).
 
-## Core files
+## Incomplete-run artifacts
+
+During an incomplete or blocked audit, `.audit-artifacts/` may contain:
 
 - `repo_manifest.json`
 - `file_disposition.json`
@@ -13,57 +15,22 @@ These JSON artifacts are the stable contract between deterministic tooling and L
 - `flow_coverage.json`
 - `risk_register.json`
 - `coverage_matrix.json`
-- `runtime_validation_tasks.json`
-- `runtime_validation_report.json`
+- `runtime_validation_tasks.json` when deterministic runtime validation is planned
+- `runtime_validation_report.json` when runtime validation has executed or been updated
 - `external_analyzer_results.json`
-- `audit_results.json`
+- `audit_tasks.json`
+- `audit_results.jsonl`
 - `requeue_tasks.json`
-- `merged_findings.json`
-- `root_cause_clusters.json`
-- `synthesis_report.json`
-
-## Design rule
-
-Tool-specific collectors should write into these normalized formats so that the agent layer can remain portable across runtimes.
-
-## Coverage rule
-
-Coverage is not based only on test instrumentation. It is based on explicit audit accounting:
-
-- file classification
-- file disposition
-- unit assignment
-- required lenses
-- reviewed source ranges
-- completed passes
-- requeue targets for missing review
-- critical-flow coverage state
-
-## Excluded artifact behavior
-
-Files marked as generated, vendor, binary, doc-only, or explicitly excluded should remain visible in manifests and disposition tracking, but should not receive normal audit-unit assignment or requeue tasks.
-
-## Critical flow role
-
-`critical_flows.json` is intended to bridge deterministic planning and higher-order semantic review. It gives LLM agents a bounded way to inspect important end-to-end paths without reading the entire repository at once.
-
-`flow_coverage.json` tracks whether those important paths have received the intended lenses, which allows the planner to treat critical-flow review as a first-class coverage requirement rather than a loose advisory layer.
-
-## Runtime validation role
-
-`runtime_validation_tasks.json` turns unresolved high-risk units and incomplete critical flows into explicit dynamic follow-up work.
-
-`runtime_validation_report.json` is where evidence from those checks should land so that later synthesis can distinguish confirmed, not-confirmed, and inconclusive concerns.
+- dispatch files for the currently active worker task
 
-## External analyzer role
+## Scope rule
 
-`external_analyzer_results.json` is the normalized landing zone for third-party tools such as SAST analyzers, coverage summaries, lint diagnostics, dependency scanners, and similar sources. Downstream prompts should prefer this normalized form over raw tool-native payloads.
+Excluded files remain visible in deterministic intake/disposition where useful,
+but they must not create audit work. This includes logs, licenses, lockfiles,
+generated artifacts, vendored artifacts, binaries, and trivial non-code files.
 
-External analyzer results now also influence:
+## Completion rule
 
-- risk scoring
-- required lenses in coverage
-- task priority
-- dedicated analyzer follow-up tasks
-- requeue priority
-- synthesis evidence and summaries
+These artifacts are transient implementation state only. When the audit
+completes, `.audit-artifacts/` is removed and only repo-root `audit-report.md`
+remains.