auditor-lambda 0.2.6 → 0.2.9

package/dist/adapters/eslint.js

@@ -1,12 +1,16 @@
 import { normalizeGenericExternalResults } from "./normalizeExternal.js";
 const ESLINT_SEVERITY_ERROR = 2;
 const ESLINT_SEVERITY_WARNING = 1;
+const ESLINT_SEVERITY_MAP = {
+    [ESLINT_SEVERITY_ERROR]: "medium",
+    [ESLINT_SEVERITY_WARNING]: "low",
+};
 function mapSeverity(value) {
-    if (value === ESLINT_SEVERITY_ERROR)
-        return "medium";
-    if (value === ESLINT_SEVERITY_WARNING)
-        return "low";
-    return "info";
+    // ESLint's JSON formatter emits 2 for errors and 1 for warnings.
+    if (typeof value !== "number") {
+        return "info";
+    }
+    return ESLINT_SEVERITY_MAP[value] ?? "info";
 }
 export function normalizeEslintJson(input) {
     return normalizeGenericExternalResults("eslint", input.flatMap((file) => (file.messages ?? []).map((message, index) => ({

package/dist/cli.d.ts

@@ -1 +1,42 @@
-export declare function runSample(): Promise<void>;
+import type { SessionConfig } from "./types/sessionConfig.js";
+type UiMode = "visible" | "headless";
+declare function getFlag(argv: string[], name: string, fallback?: string): string | undefined;
+declare function hasFlag(argv: string[], name: string): boolean;
+declare function getArtifactsDir(argv: string[]): string;
+declare function getRootDir(argv: string[]): string;
+declare function getBatchResultsDir(argv: string[]): string | undefined;
+declare function getMaxRuns(argv: string[]): number;
+declare function getAgentBatchSize(argv: string[], sessionConfig: SessionConfig): number;
+declare function getParallelWorkers(argv: string[], sessionConfig: SessionConfig): number;
+declare function getTimeoutMs(argv: string[], sessionConfig: SessionConfig): number;
+declare function chunkArray<T>(arr: T[], size: number): T[][];
+declare function getUiMode(argv: string[], fallback?: UiMode): UiMode;
+declare function countLines(path: string): Promise<number>;
+declare function looksLikeCliFlag(value: string | undefined): boolean;
+export declare const cliTestUtils: {
+    defaults: {
+        rootDir: string;
+        artifactsDir: string;
+        maxRuns: number;
+        agentBatchSize: number;
+        parallelWorkers: number;
+        timeoutMs: number;
+        uiMode: UiMode;
+    };
+    getFlag: typeof getFlag;
+    hasFlag: typeof hasFlag;
+    getArtifactsDir: typeof getArtifactsDir;
+    getRootDir: typeof getRootDir;
+    getBatchResultsDir: typeof getBatchResultsDir;
+    getMaxRuns: typeof getMaxRuns;
+    getAgentBatchSize: typeof getAgentBatchSize;
+    getParallelWorkers: typeof getParallelWorkers;
+    getTimeoutMs: typeof getTimeoutMs;
+    chunkArray: typeof chunkArray;
+    getUiMode: typeof getUiMode;
+    looksLikeCliFlag: typeof looksLikeCliFlag;
+    countLines: typeof countLines;
+};
+export declare function runSample(argv?: string[]): Promise<void>;
+export declare function runCli(argv: string[]): Promise<void>;
+export {};

package/dist/cli.js

@@ -1,20 +1,22 @@
 import { access, mkdir, readdir, rename } from "node:fs/promises";
 import { createReadStream } from "node:fs";
 import { basename, dirname, join, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
 import { buildRepoManifest } from "./extractors/fileInventory.js";
 import { buildFileDisposition } from "./extractors/disposition.js";
 import { buildCriticalFlowManifest } from "./extractors/flows.js";
 import { buildSurfaceManifest } from "./extractors/surfaces.js";
 import { buildUnitManifest } from "./orchestrator/unitBuilder.js";
 import { buildFlowCoverage } from "./orchestrator/flowCoverage.js";
-import { buildRuntimeValidationTasks, buildPlaceholderRuntimeValidationReport, } from "./orchestrator/runtimeValidation.js";
+import { buildRuntimeValidationTasks, } from "./orchestrator/runtimeValidation.js";
 import { initializeCoverageFromPlan } from "./orchestrator/planning.js";
-import { loadArtifactBundle, writeCoreArtifacts, cleanupIntermediateArtifacts, } from "./io/artifacts.js";
+import { loadArtifactBundle, writeCoreArtifacts, promoteFinalAuditReport, } from "./io/artifacts.js";
 import { readJsonFile, writeJsonFile } from "./io/json.js";
 import { validateArtifactBundle } from "./validation/artifacts.js";
 import { validateAuditResults, formatAuditResultIssues, } from "./validation/auditResults.js";
+import { prefixValidationIssues } from "./validation/basic.js";
 import { validateConfiguredProviderEnvironment, validateSessionConfig, } from "./validation/sessionConfig.js";
-import { buildSynthesisReport } from "./reporting/synthesis.js";
+import { buildAuditReportModel, renderAuditReportMarkdown, } from "./reporting/synthesis.js";
 import { deriveAuditState } from "./orchestrator/state.js";
 import { advanceAudit } from "./orchestrator/advance.js";
 import { decideNextStep } from "./orchestrator/nextStep.js";
@@ -22,83 +24,107 @@ import { createFreshSessionProvider, resolveFreshSessionProviderName, } from "./
 import { appendRunLedgerEntry } from "./supervisor/runLedger.js";
 import { buildAuditCodeHandoff, writeAuditCodeHandoffArtifacts, } from "./supervisor/operatorHandoff.js";
 import { getSessionConfigPath, loadSessionConfig, readSessionConfigFile, } from "./supervisor/sessionConfig.js";
-import { buildRunId, ensureSupervisorDirs, getRunPaths, writeWorkerTaskFiles, } from "./io/runArtifacts.js";
+import { clearDispatchFiles, buildRunId, ensureSupervisorDirs, getRunPaths, writeWorkerTaskFiles, } from "./io/runArtifacts.js";
 import { renderWorkerPrompt } from "./prompts/renderWorkerPrompt.js";
 import { LOCAL_SUBPROCESS_PROVIDER_NAME } from "./providers/constants.js";
+import { runAuditCodeMcpServer } from "./mcp/server.js";
 const ADVANCE_AUDIT_CONTRACT_VERSION = "audit-code/v1alpha1";
 const WORKER_RESULT_CONTRACT_VERSION = "audit-code-worker-result/v1alpha1";
-const DEFAULT_MAX_RUNS = 1000;
-const DEFAULT_TIMEOUT_MS = 30 * 60 * 1000; // 30 minutes
-const sampleFiles = [
+const DIRECT_CLI_DEFAULTS = {
+    rootDir: ".",
+    artifactsDir: ".artifacts",
+    maxRuns: 1000,
+    agentBatchSize: 1,
+    parallelWorkers: 1,
+    timeoutMs: 30 * 60 * 1000, // 30 minutes
+    uiMode: "headless",
+};
+// Keep the sample-run payload explicit so the demo command is deterministic.
+const SAMPLE_REPO_FILES = [
     { path: "src/api/auth.ts", size_bytes: 1240, hash: "abc123" },
     { path: "src/lib/session.ts", size_bytes: 980, hash: "def456" },
     { path: "infra/deploy.yml", size_bytes: 420, hash: "ghi789" },
     { path: "docs/notes.md", size_bytes: 300, hash: "doc111" },
 ];
+function isLongFlagToken(value) {
+    return typeof value === "string" && value.startsWith("--");
+}
+// Read a long-form CLI flag while treating a following flag token as "missing".
 function getFlag(argv, name, fallback) {
     const index = argv.indexOf(name);
-    if (index >= 0 && argv[index + 1])
-        return argv[index + 1];
-    return fallback;
+    if (index < 0)
+        return fallback;
+    const candidate = argv[index + 1];
+    if (!candidate || isLongFlagToken(candidate))
+        return fallback;
+    return candidate;
 }
+// Boolean flags only care whether the token is present at all.
 function hasFlag(argv, name) {
     return argv.includes(name);
 }
+function resolveFlagPath(argv, name, fallback) {
+    return resolve(getFlag(argv, name, fallback));
+}
+function normalizePositiveInteger(value) {
+    if (typeof value !== "number" || !Number.isFinite(value) || value <= 0) {
+        return undefined;
+    }
+    return Math.floor(value);
+}
+function parsePositiveIntegerFlag(argv, name) {
+    const raw = getFlag(argv, name);
+    if (raw === undefined) {
+        return undefined;
+    }
+    return normalizePositiveInteger(Number(raw));
+}
 function getArtifactsDir(argv) {
-    return resolve(getFlag(argv, "--artifacts-dir", ".artifacts"));
+    return resolveFlagPath(argv, "--artifacts-dir", DIRECT_CLI_DEFAULTS.artifactsDir);
 }
 function getRootDir(argv) {
-    return resolve(getFlag(argv, "--root", "."));
+    return resolveFlagPath(argv, "--root", DIRECT_CLI_DEFAULTS.rootDir);
 }
 function getBatchResultsDir(argv) {
     const value = getFlag(argv, "--batch-results");
     return value ? resolve(value) : undefined;
 }
 function getMaxRuns(argv) {
-    const raw = Number(getFlag(argv, "--max-runs", String(DEFAULT_MAX_RUNS)));
-    return Number.isFinite(raw) && raw > 0 ? Math.floor(raw) : DEFAULT_MAX_RUNS;
+    return parsePositiveIntegerFlag(argv, "--max-runs") ?? DIRECT_CLI_DEFAULTS.maxRuns;
 }
 function getAgentBatchSize(argv, sessionConfig) {
-    const fromArg = getFlag(argv, "--agent-batch-size");
-    if (fromArg !== undefined) {
-        const parsed = Number(fromArg);
-        if (Number.isFinite(parsed) && parsed > 0)
-            return Math.floor(parsed);
-    }
-    if (typeof sessionConfig.agent_task_batch_size === "number" && sessionConfig.agent_task_batch_size > 0) {
-        return Math.floor(sessionConfig.agent_task_batch_size);
-    }
-    return 1;
+    return (parsePositiveIntegerFlag(argv, "--agent-batch-size") ??
+        normalizePositiveInteger(sessionConfig.agent_task_batch_size) ??
+        DIRECT_CLI_DEFAULTS.agentBatchSize);
 }
 function getParallelWorkers(argv, sessionConfig) {
-    const fromArg = getFlag(argv, "--parallel");
-    if (fromArg !== undefined) {
-        const parsed = Number(fromArg);
-        if (Number.isFinite(parsed) && parsed > 0)
-            return Math.floor(parsed);
-    }
-    if (typeof sessionConfig.parallel_workers === "number" && sessionConfig.parallel_workers > 0) {
-        return Math.floor(sessionConfig.parallel_workers);
-    }
-    return 1;
+    return (parsePositiveIntegerFlag(argv, "--parallel") ??
+        normalizePositiveInteger(sessionConfig.parallel_workers) ??
+        DIRECT_CLI_DEFAULTS.parallelWorkers);
 }
 function getTimeoutMs(argv, sessionConfig) {
-    const fromArg = getFlag(argv, "--timeout");
-    if (fromArg !== undefined) {
-        const parsed = Number(fromArg);
-        if (Number.isFinite(parsed) && parsed > 0)
-            return Math.floor(parsed);
-    }
-    return sessionConfig.timeout_ms ?? DEFAULT_TIMEOUT_MS;
+    return (parsePositiveIntegerFlag(argv, "--timeout") ??
+        normalizePositiveInteger(sessionConfig.timeout_ms) ??
+        DIRECT_CLI_DEFAULTS.timeoutMs);
+}
+function getExplicitProvider(argv) {
+    return getFlag(argv, "--provider");
+}
+function resolveRunProviderName(argv, sessionConfig) {
+    return resolveFreshSessionProviderName(getExplicitProvider(argv) ?? LOCAL_SUBPROCESS_PROVIDER_NAME, sessionConfig);
 }
 function chunkArray(arr, size) {
+    const chunkSize = normalizePositiveInteger(size);
+    if (chunkSize === undefined) {
+        throw new Error("chunkArray size must be a positive integer.");
+    }
     const chunks = [];
-    for (let i = 0; i < arr.length; i += size) {
-        chunks.push(arr.slice(i, i + size));
+    for (let i = 0; i < arr.length; i += chunkSize) {
+        chunks.push(arr.slice(i, i + chunkSize));
     }
     return chunks;
 }
-function getUiMode(argv, fallback = "headless") {
+function getUiMode(argv, fallback = DIRECT_CLI_DEFAULTS.uiMode) {
     const raw = getFlag(argv, "--ui");
     if (raw === "visible")
         return "visible";
@@ -143,19 +169,9 @@ async function emitEnvelope(params) {
 }
 function buildManualReviewBlocker(providerName) {
     return providerName === LOCAL_SUBPROCESS_PROVIDER_NAME
-        ? "Automatic local-subprocess work is exhausted. Remaining audit tasks require explicit audit results or an interactive provider such as claude-code, opencode, or subprocess-template."
+        ? "Automatic backend steps are exhausted. Remaining semantic review now belongs to the active conversation agent. Review the dispatched files, write structured audit results, and run the generated worker command to ingest them. If you intentionally want a backend bridge instead, re-run audit-code with --provider auto, --provider claude-code, --provider opencode, --provider subprocess-template, or --provider vscode-task."
         : "Automatic work is exhausted. Remaining audit tasks require explicit audit results or an interactive provider.";
 }
-function prefixValidationIssues(prefix, issues) {
-    return issues.map((issue) => ({
-        path: issue.path.length === 0
-            ? prefix
-            : issue.path === prefix || issue.path.startsWith(`${prefix}.`)
-                ? issue.path
-                : `${prefix}.${issue.path}`,
-        message: issue.message,
-    }));
-}
 function buildBlockedAuditState(params) {
     return {
         ...params.state,
@@ -278,8 +294,24 @@ function buildWorkerFailureBlocker(workerResult) {
         : workerResult.summary;
 }
 function looksLikeCliFlag(value) {
-    return typeof value === "string" && value.startsWith("--");
+    return isLongFlagToken(value);
 }
+export const cliTestUtils = {
+    defaults: DIRECT_CLI_DEFAULTS,
+    getFlag,
+    hasFlag,
+    getArtifactsDir,
+    getRootDir,
+    getBatchResultsDir,
+    getMaxRuns,
+    getAgentBatchSize,
+    getParallelWorkers,
+    getTimeoutMs,
+    chunkArray,
+    getUiMode,
+    looksLikeCliFlag,
+    countLines,
+};
 async function maybeArchiveLegacyPendingResults(auditResultsPath) {
     if (!auditResultsPath || basename(auditResultsPath) !== "worker_results_pending.json") {
         return undefined;
@@ -387,8 +419,8 @@ function isWorkerResult(value) {
         value.contract_version ===
             WORKER_RESULT_CONTRACT_VERSION);
 }
-export async function runSample() {
-    const repoManifest = buildRepoManifest("sample-repo", sampleFiles);
+export async function runSample(argv = process.argv) {
+    const repoManifest = buildRepoManifest("sample-repo", SAMPLE_REPO_FILES);
     const disposition = buildFileDisposition(repoManifest);
     const unitManifest = buildUnitManifest(repoManifest, disposition);
     const surfaceManifest = buildSurfaceManifest(repoManifest, disposition);
@@ -401,18 +433,35 @@ export async function runSample() {
             pass_id: "pass:security",
             lens: "security",
             agent_role: "security-auditor",
-            reviewed_ranges: [
-                { path: "src/api/auth.ts", start: 1, end: 100, line_count: 100 },
-            ],
+            file_coverage: [{ path: "src/api/auth.ts", total_lines: 100 }],
             findings: [],
             notes: ["Sample result ingestion path."],
             requires_followup: false,
         },
     ];
     const flowCoverage = buildFlowCoverage(criticalFlows, coverage);
-    const runtimeValidationTasks = buildRuntimeValidationTasks(unitManifest, criticalFlows, flowCoverage);
-    const runtimeValidationReport = buildPlaceholderRuntimeValidationReport(runtimeValidationTasks);
-    const synthesisReport = buildSynthesisReport(sampleResults, runtimeValidationReport);
+    const runtimeValidationTasks = buildRuntimeValidationTasks({
+        unitManifest,
+        criticalFlows,
+        flowCoverage,
+        command: ["npm", "test"],
+    });
+    const runtimeValidationReport = {
+        results: runtimeValidationTasks.tasks.map((task) => ({
+            task_id: task.id,
+            status: "confirmed",
+            summary: "Sample runtime validation completed.",
+            evidence: [],
+            notes: [],
+        })),
+    };
+    const auditReport = renderAuditReportMarkdown(buildAuditReportModel({
+        results: sampleResults,
+        unitManifest,
+        criticalFlows,
+        coverageMatrix: coverage,
+        runtimeValidationReport,
+    }));
     const auditState = deriveAuditState({
         repo_manifest: repoManifest,
         file_disposition: disposition,
@@ -424,9 +473,9 @@ export async function runSample() {
         runtime_validation_tasks: runtimeValidationTasks,
         runtime_validation_report: runtimeValidationReport,
         audit_results: sampleResults,
-        synthesis_report: synthesisReport,
+        audit_report: auditReport,
     });
-    const artifactsDir = getArtifactsDir(process.argv);
+    const artifactsDir = getArtifactsDir(argv);
     await mkdir(artifactsDir, { recursive: true });
     await writeCoreArtifacts(artifactsDir, {
         repo_manifest: repoManifest,
@@ -439,7 +488,7 @@ export async function runSample() {
         runtime_validation_tasks: runtimeValidationTasks,
         runtime_validation_report: runtimeValidationReport,
         audit_results: sampleResults,
-        synthesis_report: synthesisReport,
+        audit_report: auditReport,
         audit_state: auditState,
     });
     console.log(JSON.stringify({ audit_state: auditState, artifacts_dir: artifactsDir }, null, 2));
@@ -448,7 +497,7 @@ async function cmdAdvanceAudit(argv) {
     const root = getRootDir(argv);
     const artifactsDir = getArtifactsDir(argv);
     const sessionConfig = await loadSessionConfig(artifactsDir);
-    const providerName = resolveFreshSessionProviderName(getFlag(argv, "--provider"), sessionConfig);
+    const providerName = resolveRunProviderName(argv, sessionConfig);
     const batchResultsDir = getBatchResultsDir(argv);
     if (batchResultsDir && getFlag(argv, "--results")) {
         throw new Error("Use either --results <file> or --batch-results <dir>, not both.");
@@ -459,6 +508,9 @@ async function cmdAdvanceAudit(argv) {
             artifactsDir,
             batchDir: batchResultsDir,
         });
+        if (result.selected_executor !== "agent") {
+            await clearDispatchFiles(artifactsDir);
+        }
         await emitEnvelope({
             root,
             artifactsDir,
@@ -473,7 +525,7 @@ async function cmdAdvanceAudit(argv) {
             providerName,
         });
         if (result.audit_state.status === "complete") {
-            await cleanupIntermediateArtifacts(artifactsDir);
+            await promoteFinalAuditReport({ artifactsDir, repoRoot: root });
         }
         return;
     }
@@ -487,6 +539,9 @@ async function cmdAdvanceAudit(argv) {
         runtimeUpdatesPath: getFlag(argv, "--updates"),
         externalAnalyzerPath,
     });
+    if (result.selected_executor !== "agent") {
+        await clearDispatchFiles(artifactsDir);
+    }
     await emitEnvelope({
         root,
         artifactsDir,
@@ -501,20 +556,21 @@ async function cmdAdvanceAudit(argv) {
         providerName,
     });
     if (result.audit_state.status === "complete") {
-        await cleanupIntermediateArtifacts(artifactsDir);
+        await promoteFinalAuditReport({ artifactsDir, repoRoot: root });
     }
 }
 async function cmdRunToCompletion(argv) {
     const root = getRootDir(argv);
     const artifactsDir = getArtifactsDir(argv);
     const sessionConfig = await loadSessionConfig(artifactsDir);
-    const provider = createFreshSessionProvider(getFlag(argv, "--provider"), sessionConfig);
+    const explicitProvider = getExplicitProvider(argv);
+    const provider = createFreshSessionProvider(explicitProvider ?? LOCAL_SUBPROCESS_PROVIDER_NAME, sessionConfig);
     const uiMode = getUiMode(argv, sessionConfig.ui_mode ?? "headless");
     const maxRuns = getMaxRuns(argv);
     const agentBatchSize = getAgentBatchSize(argv, sessionConfig);
     const parallelWorkers = getParallelWorkers(argv, sessionConfig);
     const timeoutMs = getTimeoutMs(argv, sessionConfig);
-    const selfCliPath = resolve(process.argv[1] ?? "");
+    const selfCliPath = resolve(argv[1] ?? process.argv[1] ?? "");
     await mkdir(artifactsDir, { recursive: true });
     await ensureSupervisorDirs(artifactsDir);
     const batchResultsDir = getBatchResultsDir(argv);
@@ -622,6 +678,8 @@ async function cmdRunToCompletion(argv) {
                 ],
                 audit_results_path: blockAuditResultsPath,
                 pending_audit_tasks_path: blockPendingTasksPath,
+                timeout_ms: timeoutMs,
+                max_retries: 0,
             };
             const blockPrompt = renderWorkerPrompt(blockTask);
             await writeWorkerTaskFiles(blockTask, blockPrompt, blockPaths, artifactsDir, blockPendingTasks);
@@ -646,6 +704,7 @@ async function cmdRunToCompletion(argv) {
         }
         if (!preferredExecutor) {
             const state = bundle.audit_state ?? decision.state;
+            await clearDispatchFiles(artifactsDir);
             await emitEnvelope({
                 root,
                 artifactsDir,
@@ -666,7 +725,7 @@ async function cmdRunToCompletion(argv) {
                 providerName: provider.name,
             });
             if (state.status === "complete") {
-                await cleanupIntermediateArtifacts(artifactsDir);
+                await promoteFinalAuditReport({ artifactsDir, repoRoot: root });
             }
             return;
         }
@@ -691,7 +750,9 @@ async function cmdRunToCompletion(argv) {
                     worker_command: [process.execPath, selfCliPath, "worker-run", "--task", slotPaths.taskPath],
                     audit_results_path: slotAuditResultsPath,
                     pending_audit_tasks_path: slotPendingTasksPath,
-                    skip_worker_command: true,
+                    worker_command_mode: "deferred",
+                    timeout_ms: timeoutMs,
+                    max_retries: 0,
                 };
                 const slotPrompt = renderWorkerPrompt(slotTask);
                 await writeWorkerTaskFiles(slotTask, slotPrompt, slotPaths, artifactsDir, group);
@@ -863,6 +924,8 @@ async function cmdRunToCompletion(argv) {
             pending_audit_tasks_path: pendingAuditTasksPath,
             runtime_updates_path: runtimeUpdatesPath,
             external_analyzer_results_path: externalAnalyzerPath,
+            timeout_ms: timeoutMs,
+            max_retries: 0,
         };
         const prompt = renderWorkerPrompt(task);
         await writeWorkerTaskFiles(task, prompt, paths, artifactsDir, pendingAuditTasks);
@@ -989,6 +1052,9 @@ async function cmdRunToCompletion(argv) {
     const bundle = await loadArtifactBundle(artifactsDir);
     const decision = decideNextStep(bundle);
     const state = bundle.audit_state ?? decision.state;
+    if (state.status === "complete") {
+        await clearDispatchFiles(artifactsDir);
+    }
     await emitEnvelope({
         root,
         artifactsDir,
@@ -1236,6 +1302,31 @@ async function cmdValidate(argv) {
     }, null, 2));
     process.exitCode = issues.length > 0 ? 1 : 0;
 }
+async function cmdValidateResults(argv) {
+    const artifactsDir = getArtifactsDir(argv);
+    const resultsPath = getFlag(argv, "--results");
+    if (!resultsPath) {
+        throw new Error("validate-results requires --results <file>");
+    }
+    const bundle = await loadArtifactBundle(artifactsDir);
+    const lineIndex = bundle.repo_manifest
+        ? await buildLineIndex(getRootDir(argv), bundle.repo_manifest)
+        : undefined;
+    const auditResults = await readJsonFile(resultsPath);
+    const issues = validateAuditResults(auditResults, bundle.audit_tasks ?? [], {
+        lineIndex,
+    });
+    const errors = issues.filter((issue) => issue.severity === "error");
+    const warnings = issues.filter((issue) => issue.severity === "warning");
+    console.log(JSON.stringify({
+        artifacts_dir: artifactsDir,
+        results_path: resolve(resultsPath),
+        warning_count: warnings.length,
+        error_count: errors.length,
+        issues,
+    }, null, 2));
+    process.exitCode = errors.length > 0 ? 1 : 0;
+}
 async function cmdRequeue(argv) {
     const artifactsDir = getArtifactsDir(argv);
     const bundle = await loadArtifactBundle(artifactsDir);
@@ -1257,11 +1348,14 @@ async function cmdSynthesize(argv) {
         progress_summary: result.progress_summary,
     }, null, 2));
 }
+async function cmdMcp(argv) {
+    await runAuditCodeMcpServer(argv.slice(3));
+}
 async function main(argv) {
     const command = argv[2] ?? "sample-run";
     switch (command) {
         case "sample-run":
-            await runSample();
+            await runSample(argv);
             return;
         case "advance-audit":
             await cmdAdvanceAudit(argv);
@@ -1293,19 +1387,37 @@ async function main(argv) {
         case "validate":
             await cmdValidate(argv);
             return;
+        case "validate-results":
+            await cmdValidateResults(argv);
+            return;
         case "requeue":
             await cmdRequeue(argv);
             return;
         case "synthesize":
             await cmdSynthesize(argv);
             return;
+        case "mcp":
+            await cmdMcp(argv);
+            return;
         default:
             console.error(`Unknown command: ${command}`);
-            console.error("Available commands: sample-run, advance-audit, run-to-completion, worker-run, import-external-analyzer, intake, plan, ingest-results, explain-task, update-runtime-validation, validate, requeue, synthesize");
+            console.error("Available commands: sample-run, advance-audit, run-to-completion, worker-run, import-external-analyzer, intake, plan, ingest-results, explain-task, update-runtime-validation, validate, validate-results, requeue, synthesize, mcp");
             process.exitCode = 1;
     }
 }
-await main(process.argv).catch((error) => {
-    console.error(error instanceof Error ? error.message : String(error));
-    process.exitCode = 1;
-});
+export async function runCli(argv) {
+    await main(argv).catch((error) => {
+        console.error(error instanceof Error ? error.message : String(error));
+        process.exitCode = 1;
+    });
+}
+function isDirectCliExecution(argv) {
+    const entryPath = argv[1];
+    if (!entryPath) {
+        return false;
+    }
+    return resolve(entryPath) === fileURLToPath(import.meta.url);
+}
+if (isDirectCliExecution(process.argv)) {
+    await runCli(process.argv);
+}

package/dist/coverage.d.ts

@@ -1,8 +1,8 @@
-import type { CoverageFileRecord, CoverageMatrix, Lens, ReviewedLineRange } from "./types.js";
+import type { CoverageFileRecord, CoverageMatrix, FileCoverageRecord, Lens } from "./types.js";
 export declare function createCoverageMatrix(paths: string[]): CoverageMatrix;
 export declare function markExcludedPath(matrix: CoverageMatrix, path: string, classificationStatus: string): void;
 export declare function applyUnitCoverage(matrix: CoverageMatrix, path: string, unitId: string, requiredLenses: Lens[]): void;
-export declare function applyReviewedRanges(matrix: CoverageMatrix, reviewedRanges: ReviewedLineRange[]): void;
+export declare function applyFileCoverage(matrix: CoverageMatrix, fileCoverage: FileCoverageRecord[]): void;
 export declare function findUncoveredFiles(matrix: CoverageMatrix): CoverageFileRecord[];
 export declare function buildRequeueTargets(matrix: CoverageMatrix): Array<{
     path: string;

package/dist/coverage.js

@@ -32,13 +32,13 @@ export function applyUnitCoverage(matrix, path, unitId, requiredLenses) {
         ...new Set([...record.required_lenses, ...requiredLenses]),
     ];
 }
-export function applyReviewedRanges(matrix, reviewedRanges) {
-    for (const range of reviewedRanges) {
-        const record = matrix.files.find((file) => file.path === range.path);
+export function applyFileCoverage(matrix, fileCoverage) {
+    for (const coverage of fileCoverage) {
+        const record = matrix.files.find((file) => file.path === coverage.path);
         if (!record || record.audit_status === "excluded")
             continue;
-        if (range.lens && !record.completed_lenses.includes(range.lens)) {
-            record.completed_lenses.push(range.lens);
+        if (coverage.lens && !record.completed_lenses.includes(coverage.lens)) {
+            record.completed_lenses.push(coverage.lens);
         }
     }
     for (const file of matrix.files) {

package/dist/extractors/bucketing.d.ts

@@ -4,4 +4,8 @@ export interface BucketAssignment {
     buckets: FileBucket[];
     rationale: string[];
 }
+/**
+ * Buckets files using the shared extractor heuristics so intake stays
+ * consistent across OS-specific path separators and mixed-case manifests.
+ */
 export declare function bucketFile(path: string): BucketAssignment;

package/dist/extractors/bucketing.js

@@ -1,12 +1,16 @@
-import { isNodeModulesOrGit, isTestPath, isInterfacePath, isDataLayerPath, isSecuritySensitivePath, isConcurrencyPath, isScriptPath, isDeploymentConfigPath, isDocPath, isGeneratedPath, } from "./pathPatterns.js";
+import { isNodeModulesOrGit, isTestPath, isInterfacePath, isDataLayerPath, isSecuritySensitivePath, isConcurrencyPath, isScriptPath, isDeploymentConfigPath, isDocPath, isGeneratedPath, normalizeExtractorPath, } from "./pathPatterns.js";
 function addBucket(buckets, rationale, bucket, reason) {
     if (!buckets.has(bucket)) {
         buckets.add(bucket);
         rationale.push(reason);
     }
 }
+/**
+ * Buckets files using the shared extractor heuristics so intake stays
+ * consistent across OS-specific path separators and mixed-case manifests.
+ */
 export function bucketFile(path) {
-    const normalized = path.toLowerCase();
+    const normalized = normalizeExtractorPath(path);
     const buckets = new Set();
     const rationale = [];
     if (isNodeModulesOrGit(normalized)) {

package/dist/extractors/disposition.d.ts

@@ -1,4 +1,8 @@
 import type { RepoManifest } from "../types.js";
 import type { FileDisposition, FileDispositionStatus } from "../types/disposition.js";
+/**
+ * Applies shared path heuristics to mark files that should be excluded or
+ * down-scoped before audit planning begins.
+ */
 export declare function buildFileDisposition(repoManifest: RepoManifest): FileDisposition;
 export declare function isAuditExcludedStatus(status: FileDispositionStatus): boolean;