auditor-lambda 0.2.6 → 0.2.8

package/dist/prompts/renderWorkerPrompt.js

@@ -20,15 +20,16 @@ export function renderWorkerPrompt(task) {
             "  2. Review the content under the specified lens.",
             "  3. Emit one AuditResult with:",
             "       task_id, unit_id, pass_id, lens",
-            "       reviewed_ranges: [{path, start, end, line_count}] covering what you read",
+            "       file_coverage: [{path, total_lines}] for every assigned file you reviewed",
             "       findings: array (empty if nothing found)",
-            "     line_count must match the file's current total line count so ingestion can verify the cited ranges.",
+            "     total_lines must match the file's current total line count.",
             "     Each finding must include:",
             "       id, title, category, severity, confidence, lens, summary, affected_files,",
             "       evidence (an array of plain strings only, at least one excerpt or line reference from the file you read)",
             "       Example evidence entry: src/foo.ts:42 - variable overwritten before use",
             "     Optional finding fields: impact, likelihood, reproduction, systemic, related_findings",
             "     Low-priority tasks still require a real review. Use findings: [] only when you genuinely found nothing notable.",
+            `Reference schema: ${task.artifacts_dir}/dispatch/audit-result.schema.json`,
             `Write the AuditResult[] JSON array to: ${task.audit_results_path}`,
         ];
         if (task.skip_worker_command) {

package/dist/reporting/mergeFindings.js

@@ -82,9 +82,6 @@ export function mergeFindings(results, runtimeReport, externalAnalyzerResults) {
                             ...analyzerEvidence,
                         ]),
                     ],
-                    related_findings: finding.related_findings && finding.related_findings.length > 0
-                        ? [...new Set(finding.related_findings)]
-                        : undefined,
                 });
                 continue;
             }
@@ -110,14 +107,6 @@ export function mergeFindings(results, runtimeReport, externalAnalyzerResults) {
                     ...analyzerEvidence,
                 ]),
             ];
-            const related = new Set([
-                ...(existing.related_findings ?? []),
-                ...(finding.related_findings ?? []),
-                existing.id,
-                finding.id,
-            ]);
-            existing.related_findings =
-                related.size > 0 ? [...related].sort() : undefined;
         }
     }
     return [...merged.values()].sort((a, b) => {

package/dist/reporting/synthesis.d.ts

@@ -1,24 +1,27 @@
-import type { AuditResult } from "../types.js";
-import type { ExternalAnalyzerResults } from "../types/externalAnalyzer.js";
+import type { AuditResult, CoverageMatrix, Finding, UnitManifest } from "../types.js";
+import type { CriticalFlowManifest } from "../types/flows.js";
+import type { GraphBundle } from "../types/graph.js";
 import type { RuntimeValidationReport } from "../types/runtimeValidation.js";
-import { mergeFindings } from "./mergeFindings.js";
-import { buildRootCauseClusters } from "./rootCause.js";
-import { buildWorkBlocks } from "./workBlocks.js";
-export interface SynthesisReport {
-    summary: {
-        finding_count: number;
-        cluster_count: number;
-        work_block_count: number;
-        runtime_validation_status_breakdown: Record<string, number>;
-        notes: string[];
-        severity_breakdown: Record<string, number>;
-        external_analyzer_summary: {
-            tool_count: number;
-            result_count: number;
-        };
-    };
-    merged_findings: ReturnType<typeof mergeFindings>;
-    root_cause_clusters: ReturnType<typeof buildRootCauseClusters>;
-    work_blocks: ReturnType<typeof buildWorkBlocks>;
+import { type WorkBlock } from "./workBlocks.js";
+export interface AuditReportSummary {
+    finding_count: number;
+    work_block_count: number;
+    severity_breakdown: Record<string, number>;
+    audited_file_count: number;
+    excluded_file_count: number;
+    runtime_validation_status_breakdown: Record<string, number>;
 }
-export declare function buildSynthesisReport(results: AuditResult[], runtimeReport?: RuntimeValidationReport, externalAnalyzerResults?: ExternalAnalyzerResults): SynthesisReport;
+export interface AuditReportModel {
+    summary: AuditReportSummary;
+    findings: Finding[];
+    work_blocks: WorkBlock[];
+}
+export declare function buildAuditReportModel(params: {
+    results: AuditResult[];
+    unitManifest?: UnitManifest;
+    graphBundle?: GraphBundle;
+    criticalFlows?: CriticalFlowManifest;
+    coverageMatrix?: CoverageMatrix;
+    runtimeValidationReport?: RuntimeValidationReport;
+}): AuditReportModel;
+export declare function renderAuditReportMarkdown(model: AuditReportModel): string;

package/dist/reporting/synthesis.js

@@ -1,13 +1,5 @@
-import { mergeFindings } from "./mergeFindings.js";
-import { buildRootCauseClusters } from "./rootCause.js";
 import { buildWorkBlocks } from "./workBlocks.js";
-function statusBreakdown(report) {
-    const breakdown = {};
-    for (const result of report?.results ?? []) {
-        breakdown[result.status] = (breakdown[result.status] ?? 0) + 1;
-    }
-    return breakdown;
-}
+import { mergeFindings } from "./mergeFindings.js";
 function severityBreakdown(findings) {
     const breakdown = {};
     for (const finding of findings) {
@@ -15,63 +7,104 @@ function severityBreakdown(findings) {
     }
     return breakdown;
 }
-function zeroFindingLensNotes(results) {
-    const tasksByLens = new Map();
-    const findingsByLens = new Map();
-    for (const result of results) {
-        tasksByLens.set(result.lens, (tasksByLens.get(result.lens) ?? 0) + 1);
-        findingsByLens.set(result.lens, (findingsByLens.get(result.lens) ?? 0) + result.findings.length);
+function runtimeStatusBreakdown(report) {
+    const breakdown = {};
+    for (const result of report?.results ?? []) {
+        breakdown[result.status] = (breakdown[result.status] ?? 0) + 1;
     }
-    const zeroLenses = [...tasksByLens.entries()]
-        .filter(([lens, count]) => count > 0 && (findingsByLens.get(lens) ?? 0) === 0)
-        .map(([lens]) => lens)
-        .sort();
-    if (zeroLenses.length === 0)
-        return [];
-    return [
-        `Zero findings across all reviewed tasks for lens(es): ${zeroLenses.join(", ")}. Verify these tasks were genuinely reviewed rather than batch-generated.`,
-    ];
+    return breakdown;
 }
-function externalSummary(results) {
-    if (!results) {
-        return { tool_count: 0, result_count: 0 };
-    }
+function coverageSummary(coverage) {
+    const files = coverage?.files ?? [];
     return {
-        tool_count: results.tool ? 1 : 0,
-        result_count: results.results.length,
+        audited_file_count: files.filter((file) => file.audit_status === "complete").length,
+        excluded_file_count: files.filter((file) => file.audit_status === "excluded").length,
     };
 }
-export function buildSynthesisReport(results, runtimeReport, externalAnalyzerResults) {
-    const merged_findings = mergeFindings(results, runtimeReport, externalAnalyzerResults);
-    const root_cause_clusters = buildRootCauseClusters(merged_findings, runtimeReport, externalAnalyzerResults);
-    const work_blocks = buildWorkBlocks(merged_findings);
-    const runtimeBreakdown = statusBreakdown(runtimeReport);
-    const sevBreakdown = severityBreakdown(merged_findings);
-    const extSummary = externalSummary(externalAnalyzerResults);
+function formatSeverityList(summary) {
+    const ordered = ["critical", "high", "medium", "low", "info"];
+    const parts = ordered
+        .filter((severity) => (summary[severity] ?? 0) > 0)
+        .map((severity) => `${severity}: ${summary[severity]}`);
+    return parts.length > 0 ? parts.join(", ") : "none";
+}
+export function buildAuditReportModel(params) {
+    const findings = mergeFindings(params.results, params.runtimeValidationReport);
+    const workBlocks = buildWorkBlocks({
+        findings,
+        unitManifest: params.unitManifest,
+        graphBundle: params.graphBundle,
+        criticalFlows: params.criticalFlows,
+    });
+    const coverage = coverageSummary(params.coverageMatrix);
     return {
         summary: {
-            finding_count: merged_findings.length,
-            cluster_count: root_cause_clusters.length,
-            work_block_count: work_blocks.length,
-            runtime_validation_status_breakdown: runtimeBreakdown,
-            severity_breakdown: sevBreakdown,
-            external_analyzer_summary: extSummary,
-            notes: [
-                ...(Object.keys(runtimeBreakdown).length === 0
-                    ? ["No runtime validation evidence attached."]
-                    : [
-                        "Runtime validation evidence has been incorporated into synthesis.",
-                    ]),
-                ...(extSummary.result_count > 0
-                    ? [
-                        `External analyzer signals incorporated: ${extSummary.result_count} result(s) from ${externalAnalyzerResults?.tool}.`,
-                    ]
-                    : []),
-                ...zeroFindingLensNotes(results),
-            ],
+            finding_count: findings.length,
+            work_block_count: workBlocks.length,
+            severity_breakdown: severityBreakdown(findings),
+            audited_file_count: coverage.audited_file_count,
+            excluded_file_count: coverage.excluded_file_count,
+            runtime_validation_status_breakdown: runtimeStatusBreakdown(params.runtimeValidationReport),
         },
-        merged_findings,
-        root_cause_clusters,
-        work_blocks,
+        findings,
+        work_blocks: workBlocks,
     };
 }
+export function renderAuditReportMarkdown(model) {
+    const lines = [
+        "# Audit Report",
+        "",
+        "## Summary",
+        "",
+        `- Findings: ${model.summary.finding_count}`,
+        `- Work blocks: ${model.summary.work_block_count}`,
+        `- Severity breakdown: ${formatSeverityList(model.summary.severity_breakdown)}`,
+        `- Fully audited files: ${model.summary.audited_file_count}`,
+        `- Excluded non-auditable files: ${model.summary.excluded_file_count}`,
+        "",
+        "## Work Blocks",
+        "",
+    ];
+    if (model.work_blocks.length === 0) {
+        lines.push("No remediation work blocks were generated.", "");
+    }
+    else {
+        for (const block of model.work_blocks) {
+            lines.push(`### ${block.id}`);
+            lines.push("");
+            lines.push(`- Max severity: ${block.max_severity}`);
+            lines.push(`- Units: ${block.unit_ids.join(", ")}`);
+            lines.push(`- Owned files: ${block.owned_files.join(", ")}`);
+            lines.push(`- Findings: ${block.finding_ids.join(", ")}`);
+            lines.push(`- Depends on: ${block.depends_on.length > 0 ? block.depends_on.join(", ") : "none"}`);
+            lines.push(`- Rationale: ${block.rationale}`);
+            lines.push("");
+        }
+    }
+    lines.push("## Findings", "");
+    if (model.findings.length === 0) {
+        lines.push("No findings were recorded.", "");
+    }
+    else {
+        for (const finding of model.findings) {
+            lines.push(`### ${finding.id} — ${finding.title}`);
+            lines.push("");
+            lines.push(`- Severity: ${finding.severity}`);
+            lines.push(`- Confidence: ${finding.confidence}`);
+            lines.push(`- Lens: ${finding.lens}`);
+            lines.push(`- Files: ${finding.affected_files.map((file) => file.path).join(", ")}`);
+            lines.push(`- Summary: ${finding.summary}`);
+            if (finding.evidence && finding.evidence.length > 0) {
+                lines.push("- Evidence:");
+                for (const evidence of finding.evidence) {
+                    lines.push(`  - ${evidence}`);
+                }
+            }
+            lines.push("");
+        }
+    }
+    lines.push("## Scope and Coverage", "");
+    lines.push("This report is deterministic output from the completed audit. Non-auditable files were excluded from scope before task generation.");
+    lines.push("");
+    return lines.join("\n");
+}

package/dist/reporting/workBlocks.d.ts

@@ -1,9 +1,18 @@
-import type { Finding } from "../types.js";
+import type { Finding, UnitManifest } from "../types.js";
+import type { CriticalFlowManifest } from "../types/flows.js";
+import type { GraphBundle } from "../types/graph.js";
 export interface WorkBlock {
     id: string;
     finding_ids: string[];
-    affected_files: string[];
+    unit_ids: string[];
+    owned_files: string[];
     max_severity: Finding["severity"];
     rationale: string;
+    depends_on: string[];
 }
-export declare function buildWorkBlocks(findings: Finding[]): WorkBlock[];
+export declare function buildWorkBlocks(params: {
+    findings: Finding[];
+    unitManifest?: UnitManifest;
+    graphBundle?: GraphBundle;
+    criticalFlows?: CriticalFlowManifest;
+}): WorkBlock[];

package/dist/reporting/workBlocks.js

@@ -12,98 +12,152 @@ function severityRank(severity) {
             return 1;
     }
 }
-export function buildWorkBlocks(findings) {
-    if (findings.length === 0)
+function buildFileUnitMap(unitManifest) {
+    const map = new Map();
+    for (const unit of unitManifest?.units ?? []) {
+        for (const path of unit.files) {
+            if (!map.has(path)) {
+                map.set(path, unit.unit_id);
+            }
+        }
+    }
+    return map;
+}
+function normalizeOwnedUnits(finding, fileUnitMap) {
+    const unitIds = new Set();
+    for (const file of finding.affected_files) {
+        const mapped = fileUnitMap.get(file.path);
+        unitIds.add(mapped ?? `file:${file.path}`);
+    }
+    return [...unitIds].sort();
+}
+function computeDependencies(params) {
+    const blockByFile = new Map();
+    for (const block of params.blocks) {
+        for (const path of block.owned_files) {
+            blockByFile.set(path, block.id);
+        }
+    }
+    const dependsOn = new Map();
+    for (const block of params.blocks) {
+        dependsOn.set(block.id, new Set());
+    }
+    const graphEdges = [
+        ...(params.graphBundle?.graphs.imports ?? []),
+        ...(params.graphBundle?.graphs.calls ?? []),
+    ];
+    for (const edge of graphEdges) {
+        const fromBlock = blockByFile.get(edge.from);
+        const toBlock = blockByFile.get(edge.to);
+        if (fromBlock && toBlock && fromBlock !== toBlock) {
+            dependsOn.get(fromBlock)?.add(toBlock);
+        }
+    }
+    for (const flow of params.criticalFlows?.flows ?? []) {
+        const flowBlocks = new Set();
+        for (const path of flow.paths) {
+            const blockId = blockByFile.get(path);
+            if (blockId) {
+                flowBlocks.add(blockId);
+            }
+        }
+        const ordered = [...flowBlocks].sort();
+        for (let i = 1; i < ordered.length; i++) {
+            dependsOn.get(ordered[i - 1])?.add(ordered[i]);
+        }
+    }
+    return params.blocks.map((block) => ({
+        ...block,
+        depends_on: [...(dependsOn.get(block.id) ?? [])].sort(),
+    }));
+}
+export function buildWorkBlocks(params) {
+    if (params.findings.length === 0) {
         return [];
+    }
+    const fileUnitMap = buildFileUnitMap(params.unitManifest);
     const parent = new Map();
+    const findingUnits = new Map();
     function find(id) {
         if (!parent.has(id))
             parent.set(id, id);
-        const p = parent.get(id);
-        if (p === id)
+        const current = parent.get(id);
+        if (current === id)
             return id;
-        const root = find(p);
+        const root = find(current);
         parent.set(id, root);
         return root;
     }
     function union(a, b) {
-        const ra = find(a);
-        const rb = find(b);
-        if (ra !== rb)
-            parent.set(ra, rb);
-    }
-    for (const finding of findings)
-        find(finding.id);
-    // Union findings that share affected files
-    const fileToIds = new Map();
-    for (const finding of findings) {
-        for (const af of finding.affected_files) {
-            const ids = fileToIds.get(af.path) ?? [];
-            ids.push(finding.id);
-            fileToIds.set(af.path, ids);
+        const rootA = find(a);
+        const rootB = find(b);
+        if (rootA !== rootB) {
+            parent.set(rootA, rootB);
         }
     }
-    for (const ids of fileToIds.values()) {
-        for (let i = 1; i < ids.length; i++) {
-            union(ids[0], ids[i]);
+    const unitToFindingIds = new Map();
+    for (const finding of params.findings) {
+        parent.set(finding.id, finding.id);
+        const ownedUnits = normalizeOwnedUnits(finding, fileUnitMap);
+        findingUnits.set(finding.id, ownedUnits);
+        for (const unitId of ownedUnits) {
+            const ids = unitToFindingIds.get(unitId) ?? [];
+            ids.push(finding.id);
+            unitToFindingIds.set(unitId, ids);
         }
     }
-    // Union findings explicitly linked via related_findings
-    const knownIds = new Set(findings.map((f) => f.id));
-    for (const finding of findings) {
-        for (const relId of finding.related_findings ?? []) {
-            if (knownIds.has(relId))
-                union(finding.id, relId);
+    for (const ids of unitToFindingIds.values()) {
+        for (let index = 1; index < ids.length; index++) {
+            union(ids[0], ids[index]);
         }
     }
-    // Collect connected components
-    const groups = new Map();
-    for (const finding of findings) {
+    const grouped = new Map();
+    for (const finding of params.findings) {
         const root = find(finding.id);
-        const group = groups.get(root) ?? [];
+        const group = grouped.get(root) ?? [];
         group.push(finding);
-        groups.set(root, group);
+        grouped.set(root, group);
     }
-    const blocks = [];
-    for (const group of groups.values()) {
-        // Within a block: severity desc, systemic first, then title
-        const sorted = [...group].sort((a, b) => {
-            const sevDelta = severityRank(b.severity) - severityRank(a.severity);
-            if (sevDelta !== 0)
-                return sevDelta;
-            const sysA = a.systemic ? 1 : 0;
-            const sysB = b.systemic ? 1 : 0;
-            if (sysA !== sysB)
-                return sysB - sysA;
-            return a.title.localeCompare(b.title);
+    const blocks = [...grouped.values()].map((group, index) => {
+        const orderedFindings = [...group].sort((a, b) => {
+            const severityDelta = severityRank(b.severity) - severityRank(a.severity);
+            if (severityDelta !== 0)
+                return severityDelta;
+            return a.id.localeCompare(b.id);
         });
-        const affectedFiles = [
-            ...new Set(sorted.flatMap((f) => f.affected_files.map((af) => af.path))),
+        const unitIds = [
+            ...new Set(group.flatMap((finding) => findingUnits.get(finding.id) ?? [])),
         ].sort();
-        const maxSeverity = sorted[0].severity;
-        const rationale = affectedFiles.length === 1
-            ? `${sorted.length} finding(s) affect the same file — fix together to avoid conflicts.`
-            : `${sorted.length} finding(s) share ${affectedFiles.length} file(s) or are linked via related_findings — fix as a unit so one change does not invalidate another.`;
-        blocks.push({
-            id: "",
-            finding_ids: sorted.map((f) => f.id),
-            affected_files: affectedFiles,
-            max_severity: maxSeverity,
-            rationale,
-        });
-    }
-    // Sort blocks: highest severity first, then largest group, then stable by first finding id
+        const ownedFiles = [
+            ...new Set(group.flatMap((finding) => finding.affected_files.map((file) => file.path))),
+        ].sort();
+        return {
+            id: `block-${index + 1}`,
+            finding_ids: orderedFindings.map((finding) => finding.id),
+            unit_ids: unitIds,
+            owned_files: ownedFiles,
+            max_severity: orderedFindings[0].severity,
+            rationale: unitIds.length === 1
+                ? "All findings map to the same owned unit and should be remediated together."
+                : "Findings share owned units transitively and should remain one non-overlapping remediation block.",
+            depends_on: [],
+        };
+    });
     blocks.sort((a, b) => {
-        const sevDelta = severityRank(b.max_severity) - severityRank(a.max_severity);
-        if (sevDelta !== 0)
-            return sevDelta;
-        const lenDelta = b.finding_ids.length - a.finding_ids.length;
-        if (lenDelta !== 0)
-            return lenDelta;
-        return (a.finding_ids[0] ?? "").localeCompare(b.finding_ids[0] ?? "");
+        const severityDelta = severityRank(b.max_severity) - severityRank(a.max_severity);
+        if (severityDelta !== 0)
+            return severityDelta;
+        const findingDelta = b.finding_ids.length - a.finding_ids.length;
+        if (findingDelta !== 0)
+            return findingDelta;
+        return a.id.localeCompare(b.id);
     });
-    for (let i = 0; i < blocks.length; i++) {
-        blocks[i].id = `block-${i + 1}`;
+    for (let index = 0; index < blocks.length; index++) {
+        blocks[index].id = `block-${index + 1}`;
     }
-    return blocks;
+    return computeDependencies({
+        blocks,
+        graphBundle: params.graphBundle,
+        criticalFlows: params.criticalFlows,
+    });
 }

package/dist/types/flows.d.ts

@@ -4,8 +4,10 @@ export interface CriticalFlow {
     entrypoints: string[];
     paths: string[];
     concerns: string[];
+    confidence?: "high" | "low";
     notes?: string[];
 }
 export interface CriticalFlowManifest {
     flows: CriticalFlow[];
+    fallback_required?: boolean;
 }

package/dist/types/runtimeValidation.d.ts

@@ -5,6 +5,7 @@ export interface RuntimeValidationTask {
     target_paths: string[];
     reason: string;
     priority: "high" | "medium" | "low";
+    command?: string[];
     suggested_checks?: string[];
     source_artifacts?: string[];
 }
@@ -13,7 +14,7 @@ export interface RuntimeValidationTaskManifest {
 }
 export interface RuntimeValidationResult {
     task_id: string;
-    status: "pending" | "confirmed" | "not_confirmed" | "inconclusive";
+    status: "pending" | "confirmed" | "not_confirmed" | "inconclusive" | "not_required";
     summary: string;
     evidence?: string[];
     notes?: string[];

package/dist/types.d.ts

@@ -28,10 +28,9 @@ export interface AuditUnit {
 export interface UnitManifest {
     units: AuditUnit[];
 }
-export interface ReviewedLineRange {
+export interface FileCoverageRecord {
     path: string;
-    start: number;
-    end: number;
+    total_lines: number;
     pass_id: string;
     lens?: Lens;
     agent_role?: string;
@@ -94,11 +93,9 @@ export interface AuditResult {
     pass_id: string;
     lens: Lens;
     agent_role?: string;
-    reviewed_ranges: Array<{
+    file_coverage: Array<{
         path: string;
-        start: number;
-        end: number;
-        line_count: number;
+        total_lines: number;
     }>;
     findings: Finding[];
     notes?: string[];