auditor-lambda 0.2.6 → 0.2.9

package/dist/validation/artifacts.js

@@ -1,6 +1,9 @@
-import { requireKeys } from "./basic.js";
+import { pushValidationIssue, requireKeys, } from "./basic.js";
 function pushIssue(issues, path, message) {
-    issues.push({ path, message });
+    pushValidationIssue(issues, path, message);
+}
+function asArray(value) {
+    return Array.isArray(value) ? value : [];
 }
 export function validateArtifactBundle(bundle) {
     const issues = [];
@@ -37,14 +40,24 @@ export function validateArtifactBundle(bundle) {
     if (bundle.external_analyzer_results) {
         issues.push(...requireKeys(bundle.external_analyzer_results, "external_analyzer_results", ["tool", "results"]));
     }
-    const repoPaths = new Set(bundle.repo_manifest?.files.map((file) => file.path) ?? []);
-    const dispositionMap = new Map(bundle.file_disposition?.files.map((item) => [item.path, item.status]) ??
-        []);
-    const unitIds = new Set(bundle.unit_manifest?.units.map((unit) => unit.unit_id) ?? []);
-    const flowIds = new Set(bundle.critical_flows?.flows.map((flow) => flow.id) ?? []);
-    const runtimeTaskIds = new Set(bundle.runtime_validation_tasks?.tasks.map((task) => task.id) ?? []);
+    const repoManifestFiles = asArray(bundle.repo_manifest?.files);
+    const fileDispositionEntries = asArray(bundle.file_disposition?.files);
+    const unitManifestUnits = asArray(bundle.unit_manifest?.units);
+    const criticalFlows = asArray(bundle.critical_flows?.flows);
+    const flowCoverageEntries = asArray(bundle.flow_coverage?.flows);
+    const riskRegisterItems = asArray(bundle.risk_register?.items);
+    const surfaceEntries = asArray(bundle.surface_manifest?.surfaces);
+    const runtimeValidationTasks = asArray(bundle.runtime_validation_tasks?.tasks);
+    const runtimeValidationResults = asArray(bundle.runtime_validation_report?.results);
+    const externalAnalyzerResults = asArray(bundle.external_analyzer_results?.results);
+    const coverageFiles = asArray(bundle.coverage_matrix?.files);
+    const repoPaths = new Set(repoManifestFiles.map((file) => file.path));
+    const dispositionMap = new Map(fileDispositionEntries.map((item) => [item.path, item.status]));
+    const unitIds = new Set(unitManifestUnits.map((unit) => unit.unit_id));
+    const flowIds = new Set(criticalFlows.map((flow) => flow.id));
+    const runtimeTaskIds = new Set(runtimeValidationTasks.map((task) => task.id));
     if (bundle.repo_manifest && bundle.coverage_matrix) {
-        const coveragePaths = new Set(bundle.coverage_matrix.files.map((file) => file.path));
+        const coveragePaths = new Set(coverageFiles.map((file) => file.path));
         for (const path of repoPaths) {
             if (!coveragePaths.has(path)) {
                 pushIssue(issues, "coverage_matrix", `Missing coverage entry for ${path}`);
@@ -52,7 +65,7 @@ export function validateArtifactBundle(bundle) {
         }
     }
     if (bundle.repo_manifest && bundle.file_disposition) {
-        const dispositionPaths = new Set(bundle.file_disposition.files.map((file) => file.path));
+        const dispositionPaths = new Set(fileDispositionEntries.map((file) => file.path));
         for (const path of repoPaths) {
             if (!dispositionPaths.has(path)) {
                 pushIssue(issues, "file_disposition", `Missing disposition entry for ${path}`);
@@ -60,7 +73,7 @@ export function validateArtifactBundle(bundle) {
         }
     }
     if (bundle.unit_manifest) {
-        for (const unit of bundle.unit_manifest.units) {
+        for (const unit of unitManifestUnits) {
             if (unit.files.length === 0) {
                 pushIssue(issues, `unit_manifest:${unit.unit_id}`, "Unit has no files");
             }
@@ -79,7 +92,7 @@ export function validateArtifactBundle(bundle) {
         }
     }
     if (bundle.coverage_matrix && bundle.unit_manifest) {
-        for (const file of bundle.coverage_matrix.files) {
+        for (const file of coverageFiles) {
             if (!repoPaths.has(file.path)) {
                 pushIssue(issues, "coverage_matrix", `Coverage contains unknown file ${file.path}`);
             }
@@ -103,7 +116,7 @@ export function validateArtifactBundle(bundle) {
         }
     }
     if (bundle.critical_flows) {
-        for (const flow of bundle.critical_flows.flows) {
+        for (const flow of criticalFlows) {
             if (flow.paths.length === 0) {
                 pushIssue(issues, `critical_flows:${flow.id}`, "Flow has no paths");
             }
@@ -122,7 +135,7 @@ export function validateArtifactBundle(bundle) {
         }
     }
     if (bundle.flow_coverage && bundle.critical_flows) {
-        for (const flow of bundle.flow_coverage.flows) {
+        for (const flow of flowCoverageEntries) {
             if (!flowIds.has(flow.flow_id)) {
                 pushIssue(issues, `flow_coverage:${flow.flow_id}`, `Flow coverage references unknown flow ${flow.flow_id}`);
             }
@@ -143,15 +156,15 @@ export function validateArtifactBundle(bundle) {
         }
     }
     if (bundle.risk_register && bundle.unit_manifest) {
-        const riskUnitIds = new Set(bundle.risk_register.items.map((item) => item.unit_id));
-        for (const unit of bundle.unit_manifest.units) {
+        const riskUnitIds = new Set(riskRegisterItems.map((item) => item.unit_id));
+        for (const unit of unitManifestUnits) {
             if (!riskUnitIds.has(unit.unit_id)) {
                 pushIssue(issues, "risk_register", `Missing risk entry for unit ${unit.unit_id}`);
             }
         }
     }
     if (bundle.surface_manifest) {
-        for (const surface of bundle.surface_manifest.surfaces) {
+        for (const surface of surfaceEntries) {
             if (!repoPaths.has(surface.entrypoint)) {
                 pushIssue(issues, `surface_manifest:${surface.id}`, `Surface references unknown entrypoint ${surface.entrypoint}`);
             }
@@ -162,7 +175,7 @@ export function validateArtifactBundle(bundle) {
         }
     }
     if (bundle.runtime_validation_tasks) {
-        for (const task of bundle.runtime_validation_tasks.tasks) {
+        for (const task of runtimeValidationTasks) {
             if (task.target_paths.length === 0) {
                 pushIssue(issues, `runtime_validation_tasks:${task.id}`, "Runtime validation task has no target paths");
             }
@@ -174,14 +187,14 @@ export function validateArtifactBundle(bundle) {
         }
     }
     if (bundle.runtime_validation_report) {
-        for (const result of bundle.runtime_validation_report.results) {
+        for (const result of runtimeValidationResults) {
             if (!runtimeTaskIds.has(result.task_id)) {
                 pushIssue(issues, `runtime_validation_report:${result.task_id}`, `Runtime validation result references unknown task ${result.task_id}`);
             }
         }
     }
     if (bundle.external_analyzer_results) {
-        for (const item of bundle.external_analyzer_results.results) {
+        for (const item of externalAnalyzerResults) {
             if (!repoPaths.has(item.path) && bundle.repo_manifest) {
                 pushIssue(issues, `external_analyzer_results:${item.id}`, `External analyzer result references unknown path ${item.path}`);
             }

package/dist/validation/auditResults.d.ts

@@ -1,11 +1,11 @@
 import type { AuditTask } from "../types.js";
+import { type ValidationIssue } from "./basic.js";
 export type IssueSeverity = "error" | "warning";
-export interface AuditResultIssue {
+export interface AuditResultIssue extends ValidationIssue {
     result_index: number;
     task_id: string;
     severity: IssueSeverity;
     field: string;
-    message: string;
 }
 export interface ValidateAuditResultOptions {
     lineIndex?: Record<string, number>;

package/dist/validation/auditResults.js

@@ -1,3 +1,4 @@
+import { describeValue, formatValidationIssues, isRecord, } from "./basic.js";
 const REQUIRED_FINDING_FIELDS = [
     "id",
     "title",
@@ -24,21 +25,10 @@ const VALID_LENSES = new Set([
 function pushIssue(issues, params) {
     issues.push({
         ...params,
+        path: params.path ?? params.field,
         severity: params.severity ?? "error",
     });
 }
-function describeValue(value) {
-    if (Array.isArray(value)) {
-        return "array";
-    }
-    if (value === null) {
-        return "null";
-    }
-    return typeof value;
-}
-function isRecord(value) {
-    return typeof value === "object" && value !== null && !Array.isArray(value);
-}
 function isNonEmptyString(value) {
     return typeof value === "string" && value.trim().length > 0;
 }
@@ -203,10 +193,11 @@ function validateFinding(finding, label, taskId, resultIndex) {
     }
     return issues;
 }
-function coversAffectedSpan(ranges, path, start, end) {
-    return ranges.some((range) => range.path === path &&
-        range.start <= start &&
-        range.end >= end);
+function coversAffectedSpan(coverage, path, start, end) {
+    return coverage.some((entry) => entry.path === path &&
+        start > 0 &&
+        end > 0 &&
+        end <= entry.total_lines);
 }
 export function validateAuditResults(results, tasks, options = {}) {
     const issues = [];
@@ -251,149 +242,113 @@ export function validateAuditResults(results, tasks, options = {}) {
                 result_index: i,
                 task_id: taskId,
                 field: "task_id",
-                message: `Unknown task_id '${taskId}'.`,
+                message: `Unknown task_id '${taskId}'. Use the active task manifest for valid ids: ` +
+                    tasks.map((item) => item.task_id).join(", "),
             });
         }
-        const reviewedRanges = result.reviewed_ranges;
-        const normalizedReviewedRanges = [];
-        if (!Array.isArray(reviewedRanges) || reviewedRanges.length === 0) {
+        const fileCoverage = result.file_coverage;
+        const normalizedFileCoverage = [];
+        if (!Array.isArray(fileCoverage) || fileCoverage.length === 0) {
             pushIssue(issues, {
                 result_index: i,
                 task_id: taskId,
-                field: "reviewed_ranges",
-                message: "reviewed_ranges is empty — no proof of file reading was recorded. Each result must include the line ranges actually read.",
+                field: "file_coverage",
+                message: "file_coverage is empty — each result must declare every assigned file it reviewed and the file's total line count.",
             });
         }
         else {
-            for (let j = 0; j < reviewedRanges.length; j++) {
-                const range = reviewedRanges[j];
-                if (!isRecord(range)) {
+            const seenCoveragePaths = new Set();
+            for (let j = 0; j < fileCoverage.length; j++) {
+                const entry = fileCoverage[j];
+                if (!isRecord(entry)) {
                     pushIssue(issues, {
                         result_index: i,
                         task_id: taskId,
-                        field: `reviewed_ranges[${j}]`,
-                        message: `reviewed_ranges[${j}] must be an object, got ${describeValue(range)}.`,
+                        field: `file_coverage[${j}]`,
+                        message: `file_coverage[${j}] must be an object, got ${describeValue(entry)}.`,
                     });
                     continue;
                 }
-                if (!isNonEmptyString(range.path)) {
+                if (!isNonEmptyString(entry.path)) {
                     pushIssue(issues, {
                         result_index: i,
                         task_id: taskId,
-                        field: `reviewed_ranges[${j}].path`,
-                        message: "reviewed_ranges entry has an empty path.",
+                        field: `file_coverage[${j}].path`,
+                        message: "file_coverage entry has an empty path.",
                     });
                 }
-                else if (task && !task.file_paths.includes(range.path)) {
+                else if (task && !task.file_paths.includes(entry.path)) {
                     pushIssue(issues, {
                         result_index: i,
                         task_id: taskId,
                         severity: "warning",
-                        field: `reviewed_ranges[${j}].path`,
-                        message: `reviewed_ranges path '${range.path}' is not listed in the task file_paths.`,
-                    });
-                }
-                if (!Number.isInteger(range.start)) {
-                    pushIssue(issues, {
-                        result_index: i,
-                        task_id: taskId,
-                        field: `reviewed_ranges[${j}].start`,
-                        message: `reviewed_ranges[${j}].start must be an integer, got ${describeValue(range.start)}.`,
-                    });
-                }
-                if (!Number.isInteger(range.end)) {
-                    pushIssue(issues, {
-                        result_index: i,
-                        task_id: taskId,
-                        field: `reviewed_ranges[${j}].end`,
-                        message: `reviewed_ranges[${j}].end must be an integer, got ${describeValue(range.end)}.`,
-                    });
-                }
-                if (!Number.isInteger(range.line_count)) {
-                    pushIssue(issues, {
-                        result_index: i,
-                        task_id: taskId,
-                        field: `reviewed_ranges[${j}].line_count`,
-                        message: `reviewed_ranges[${j}].line_count must be an integer, got ${describeValue(range.line_count)}.`,
+                        field: `file_coverage[${j}].path`,
+                        message: `file_coverage path '${entry.path}' is not listed in the task file_paths.`,
                     });
                 }
-                if (Number.isInteger(range.start) &&
-                    Number.isInteger(range.end) &&
-                    Number(range.start) > Number(range.end)) {
+                else if (seenCoveragePaths.has(entry.path)) {
                     pushIssue(issues, {
                         result_index: i,
                         task_id: taskId,
-                        field: `reviewed_ranges[${j}]`,
-                        message: "reviewed_ranges start must be less than or equal to end.",
+                        field: `file_coverage[${j}].path`,
+                        message: `file_coverage path '${entry.path}' is duplicated. Declare each file once.`,
                     });
                 }
-                if (Number.isInteger(range.line_count) &&
-                    Number(range.line_count) <= 0) {
-                    pushIssue(issues, {
-                        result_index: i,
-                        task_id: taskId,
-                        field: `reviewed_ranges[${j}].line_count`,
-                        message: "reviewed_ranges line_count must be greater than zero.",
-                    });
+                else {
+                    seenCoveragePaths.add(entry.path);
                 }
-                if (Number.isInteger(range.start) &&
-                    Number(range.start) <= 0) {
+                if (!Number.isInteger(entry.total_lines)) {
                     pushIssue(issues, {
                         result_index: i,
                         task_id: taskId,
-                        field: `reviewed_ranges[${j}].start`,
-                        message: "reviewed_ranges start must be greater than zero.",
+                        field: `file_coverage[${j}].total_lines`,
+                        message: `file_coverage[${j}].total_lines must be an integer, got ${describeValue(entry.total_lines)}.`,
                     });
                 }
-                if (Number.isInteger(range.end) &&
-                    Number(range.end) <= 0) {
+                if (Number.isInteger(entry.total_lines) &&
+                    Number(entry.total_lines) <= 0) {
                     pushIssue(issues, {
                         result_index: i,
                         task_id: taskId,
-                        field: `reviewed_ranges[${j}].end`,
-                        message: "reviewed_ranges end must be greater than zero.",
+                        field: `file_coverage[${j}].total_lines`,
+                        message: "file_coverage total_lines must be greater than zero.",
                     });
                 }
-                if (Number.isInteger(range.end) &&
-                    Number.isInteger(range.line_count) &&
-                    Number(range.end) > Number(range.line_count)) {
-                    pushIssue(issues, {
-                        result_index: i,
-                        task_id: taskId,
-                        field: `reviewed_ranges[${j}]`,
-                        message: "reviewed_ranges end must not exceed the declared file line_count.",
-                    });
-                }
-                const expectedLineCount = typeof range.path === "string"
-                    ? options.lineIndex?.[range.path]
+                const expectedLineCount = typeof entry.path === "string"
+                    ? options.lineIndex?.[entry.path]
                     : undefined;
-                if (Number.isInteger(range.line_count) &&
+                if (Number.isInteger(entry.total_lines) &&
                     typeof expectedLineCount === "number" &&
-                    Number(range.line_count) !== expectedLineCount) {
+                    Number(entry.total_lines) !== expectedLineCount) {
                     pushIssue(issues, {
                         result_index: i,
                         task_id: taskId,
-                        field: `reviewed_ranges[${j}].line_count`,
-                        message: `reviewed_ranges[${j}].line_count must match the current file line count for '${range.path}' ` +
-                            `(expected ${expectedLineCount}, got ${range.line_count}).`,
+                        field: `file_coverage[${j}].total_lines`,
+                        message: `file_coverage[${j}].total_lines must match the current file line count for '${entry.path}' ` +
+                            `(expected ${expectedLineCount}, got ${entry.total_lines}).`,
                     });
                 }
-                if (isNonEmptyString(range.path) &&
-                    Number.isInteger(range.start) &&
-                    Number.isInteger(range.end) &&
-                    Number.isInteger(range.line_count) &&
-                    Number(range.start) > 0 &&
-                    Number(range.end) > 0 &&
-                    Number(range.start) <= Number(range.end) &&
-                    Number(range.end) <= Number(range.line_count)) {
-                    normalizedReviewedRanges.push({
-                        path: range.path,
-                        start: Number(range.start),
-                        end: Number(range.end),
-                        line_count: Number(range.line_count),
+                if (isNonEmptyString(entry.path) &&
+                    Number.isInteger(entry.total_lines) &&
+                    Number(entry.total_lines) > 0) {
+                    normalizedFileCoverage.push({
+                        path: entry.path,
+                        total_lines: Number(entry.total_lines),
                     });
                 }
             }
+            if (task) {
+                for (const path of task.file_paths) {
+                    if (!seenCoveragePaths.has(path)) {
+                        pushIssue(issues, {
+                            result_index: i,
+                            task_id: taskId,
+                            field: "file_coverage",
+                            message: `file_coverage must include every assigned file. Missing '${path}'.`,
+                        });
+                    }
+                }
+            }
         }
         const findings = result.findings;
         if (!Array.isArray(findings)) {
@@ -424,13 +379,13 @@ export function validateAuditResults(results, tasks, options = {}) {
                 const end = Number.isInteger(affected.line_end)
                     ? Number(affected.line_end)
                     : start;
-                if (!coversAffectedSpan(normalizedReviewedRanges, affected.path, start, end)) {
+                if (!coversAffectedSpan(normalizedFileCoverage, affected.path, start, end)) {
                     pushIssue(issues, {
                         result_index: i,
                         task_id: taskId,
                         field: `${label}.affected_files[${k}]`,
-                        message: `affected_files line span ${affected.path}:${start}-${end} falls outside the declared reviewed_ranges. ` +
-                            "Expand reviewed_ranges to cover the cited lines or fix the affected_files location.",
+                        message: `affected_files line span ${affected.path}:${start}-${end} falls outside the declared file_coverage. ` +
+                            "Fix the affected_files location or correct file_coverage.total_lines.",
                     });
                 }
             }
@@ -439,7 +394,9 @@ export function validateAuditResults(results, tasks, options = {}) {
     return issues;
 }
 export function formatAuditResultIssues(issues) {
-    return issues
-        .map((issue) => `  [${issue.severity}] ${issue.task_id} / ${issue.field}: ${issue.message}`)
-        .join("\n");
+    return formatValidationIssues(issues.map((issue) => ({
+        path: `${issue.task_id} / ${issue.field}`,
+        message: issue.message,
+        severity: issue.severity,
+    })));
 }

package/dist/validation/basic.d.ts

@@ -1,5 +1,13 @@
+export type ValidationSeverity = "error" | "warning";
 export interface ValidationIssue {
     path: string;
     message: string;
+    severity: ValidationSeverity;
 }
-export declare function requireKeys(record: Record<string, unknown>, path: string, keys: string[]): ValidationIssue[];
+export declare function describeValue(value: unknown): string;
+export declare function isRecord(value: unknown): value is Record<string, unknown>;
+export declare function createValidationIssue(path: string, message: string, severity?: ValidationSeverity): ValidationIssue;
+export declare function pushValidationIssue(issues: ValidationIssue[], path: string, message: string, severity?: ValidationSeverity): void;
+export declare function prefixValidationIssues(prefix: string, issues: ValidationIssue[]): ValidationIssue[];
+export declare function formatValidationIssues(issues: ValidationIssue[]): string;
+export declare function requireKeys(value: unknown, path: string, keys: readonly string[]): ValidationIssue[];

package/dist/validation/basic.js

@@ -1,8 +1,45 @@
-export function requireKeys(record, path, keys) {
+export function describeValue(value) {
+    if (Array.isArray(value)) {
+        return "array";
+    }
+    if (value === null) {
+        return "null";
+    }
+    return typeof value;
+}
+export function isRecord(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+export function createValidationIssue(path, message, severity = "error") {
+    return { path, message, severity };
+}
+export function pushValidationIssue(issues, path, message, severity = "error") {
+    issues.push(createValidationIssue(path, message, severity));
+}
+export function prefixValidationIssues(prefix, issues) {
+    return issues.map((issue) => ({
+        ...issue,
+        path: issue.path.length === 0
+            ? prefix
+            : issue.path === prefix || issue.path.startsWith(`${prefix}.`)
+                ? issue.path
+                : `${prefix}.${issue.path}`,
+    }));
+}
+export function formatValidationIssues(issues) {
+    return issues
+        .map((issue) => `  [${issue.severity}] ${issue.path}: ${issue.message}`)
+        .join("\n");
+}
+export function requireKeys(value, path, keys) {
     const issues = [];
+    if (!isRecord(value)) {
+        pushValidationIssue(issues, path, `Expected an object, got ${describeValue(value)}.`);
+        return issues;
+    }
     for (const key of keys) {
-        if (!(key in record)) {
-            issues.push({ path, message: `Missing required key: ${key}` });
+        if (!(key in value)) {
+            pushValidationIssue(issues, path, `Missing required key: ${key}`);
         }
     }
     return issues;

package/dist/validation/sessionConfig.d.ts

@@ -1,6 +1,8 @@
-import type { SessionConfig } from "../types/sessionConfig.js";
-import type { ValidationIssue } from "./basic.js";
+import { type SessionConfig } from "../types/sessionConfig.js";
+import { type ValidationIssue } from "./basic.js";
 export declare function validateSessionConfig(value: unknown): ValidationIssue[];
 export declare function validateConfiguredProviderEnvironment(sessionConfig: SessionConfig, options?: {
     commandExists?: (command: string) => boolean;
+    pathExists?: (commandPath: string) => boolean;
 }): ValidationIssue[];
+export { formatValidationIssues } from "./basic.js";

package/dist/validation/sessionConfig.js

@@ -1,18 +1,11 @@
 import { spawnSync } from "node:child_process";
-const VALID_PROVIDERS = new Set([
-    "auto",
-    "local-subprocess",
-    "subprocess-template",
-    "claude-code",
-    "opencode",
-    "vscode-task",
-]);
-const VALID_UI_MODES = new Set(["headless", "visible"]);
+import { accessSync, constants } from "node:fs";
+import { PROVIDER_NAMES, SESSION_UI_MODES, } from "../types/sessionConfig.js";
+import { isRecord, pushValidationIssue, } from "./basic.js";
+const VALID_PROVIDERS = new Set(PROVIDER_NAMES);
+const VALID_UI_MODES = new Set(SESSION_UI_MODES);
 function pushIssue(issues, path, message) {
-    issues.push({ path, message });
-}
-function isRecord(value) {
-    return typeof value === "object" && value !== null && !Array.isArray(value);
+    pushValidationIssue(issues, path, message);
 }
 function validateStringArray(value, path, label, issues, options = {}) {
     if (!Array.isArray(value)) {
@@ -74,6 +67,9 @@ function validateAgentProviderSection(value, path, issues) {
         if (typeof value.command !== "string" || value.command.trim().length === 0) {
             pushIssue(issues, `${path}.command`, "command must be a non-empty string when provided.");
         }
+        else if (!isSupportedConfiguredCommand(value.command)) {
+            pushIssue(issues, `${path}.command`, "command must be a bare executable name or direct executable path. Put CLI flags in extra_args.");
+        }
     }
     if (value.extra_args !== undefined) {
         validateStringArray(value.extra_args, `${path}.extra_args`, "extra_args", issues, { allowEmptyArray: true });
@@ -84,6 +80,43 @@ function commandExists(command) {
     const result = spawnSync(lookupCommand, [command], { stdio: "ignore" });
     return result.status === 0;
 }
+function configuredPathExists(commandPath) {
+    try {
+        accessSync(commandPath, constants.F_OK);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function startsWithPathPrefix(command) {
+    return (command.startsWith(".") ||
+        command.startsWith("/") ||
+        command.startsWith("\\\\") ||
+        /^[A-Za-z]:[\\/]/.test(command));
+}
+function containsForbiddenCommandSyntax(command) {
+    return /[\r\n"'`|&;<>]/.test(command);
+}
+function isBareExecutableName(command) {
+    return (command.length > 0 &&
+        !/\s/.test(command) &&
+        !containsForbiddenCommandSyntax(command) &&
+        !/[\\/]/.test(command) &&
+        !/^[A-Za-z]:/.test(command));
+}
+function isDirectExecutablePath(command) {
+    return (command.length > 0 &&
+        !containsForbiddenCommandSyntax(command) &&
+        startsWithPathPrefix(command));
+}
+function isSupportedConfiguredCommand(command) {
+    const trimmed = command.trim();
+    if (trimmed.length === 0 || trimmed !== command) {
+        return false;
+    }
+    return isBareExecutableName(trimmed) || isDirectExecutablePath(trimmed);
+}
 export function validateSessionConfig(value) {
     const issues = [];
     if (value === undefined) {
@@ -122,18 +155,32 @@ export function validateSessionConfig(value) {
 export function validateConfiguredProviderEnvironment(sessionConfig, options = {}) {
     const issues = [];
     const lookupCommand = options.commandExists ?? commandExists;
+    const lookupPath = options.pathExists ?? configuredPathExists;
     const provider = sessionConfig.provider ?? "local-subprocess";
     if (provider === "claude-code") {
         const command = sessionConfig.claude_code?.command ?? "claude";
-        if (!lookupCommand(command)) {
+        if (isBareExecutableName(command) && !lookupCommand(command)) {
             pushIssue(issues, "claude_code.command", `Configured claude-code executable was not found on PATH: ${command}.`);
         }
+        else if (isDirectExecutablePath(command) && !lookupPath(command)) {
+            pushIssue(issues, "claude_code.command", `Configured claude-code executable path does not exist: ${command}.`);
+        }
+        else if (!isSupportedConfiguredCommand(command)) {
+            pushIssue(issues, "claude_code.command", "Configured claude-code command must be a bare executable name or direct path. Put CLI flags in extra_args.");
+        }
     }
     if (provider === "opencode") {
         const command = sessionConfig.opencode?.command ?? "opencode";
-        if (!lookupCommand(command)) {
+        if (isBareExecutableName(command) && !lookupCommand(command)) {
             pushIssue(issues, "opencode.command", `Configured opencode executable was not found on PATH: ${command}.`);
         }
+        else if (isDirectExecutablePath(command) && !lookupPath(command)) {
+            pushIssue(issues, "opencode.command", `Configured opencode executable path does not exist: ${command}.`);
+        }
+        else if (!isSupportedConfiguredCommand(command)) {
+            pushIssue(issues, "opencode.command", "Configured opencode command must be a bare executable name or direct path. Put CLI flags in extra_args.");
+        }
     }
     return issues;
 }
+export { formatValidationIssues } from "./basic.js";