auditor-lambda 0.2.6 → 0.2.9

package/dist/orchestrator/internalExecutors.js

@@ -1,3 +1,4 @@
+import { spawn } from "node:child_process";
 import { buildFileDisposition } from "../extractors/disposition.js";
 import { buildGraphBundle } from "../extractors/graph.js";
 import { buildCriticalFlowManifest } from "../extractors/flows.js";
@@ -5,28 +6,50 @@ import { buildRiskRegister } from "../extractors/risk.js";
 import { buildSurfaceManifest } from "../extractors/surfaces.js";
 import { initializeCoverageFromPlan } from "./planning.js";
 import { buildFlowCoverage } from "./flowCoverage.js";
-import { buildFlowAwareTaskAugmentations } from "./flowPlanning.js";
 import { buildRequeuePayload } from "./requeueCommand.js";
-import { buildRuntimeValidationTasks, buildPlaceholderRuntimeValidationReport, mergeRuntimeValidationReport, } from "./runtimeValidation.js";
-import { buildSynthesisReport } from "../reporting/synthesis.js";
-import { buildChunkedAuditTasks, buildExternalSignalTasks, } from "./taskBuilder.js";
+import { buildRuntimeValidationTasks, discoverRuntimeValidationCommand, mergeRuntimeValidationReport, } from "./runtimeValidation.js";
+import { buildAuditReportModel, renderAuditReportMarkdown, } from "../reporting/synthesis.js";
+import { buildChunkedAuditTasks, } from "./taskBuilder.js";
 import { buildUnitManifest } from "./unitBuilder.js";
 import { buildRepoManifestFromFs } from "../extractors/fsIntake.js";
 import { loadIgnoreFile } from "../extractors/ignore.js";
 import { ingestAuditResults, updateAuditTaskStatuses, } from "./resultIngestion.js";
 import { updateRuntimeValidationReport } from "./runtimeValidationUpdate.js";
 import { autoCompleteTrivialCoverage } from "./trivialAudit.js";
-function buildSynthesisArtifacts(synthesisReport) {
-    return {
-        synthesis_report: synthesisReport,
-        merged_findings: { findings: synthesisReport.merged_findings },
-        root_cause_clusters: { clusters: synthesisReport.root_cause_clusters },
-    };
-}
-function preserveOrPlaceholder(tasks, existing) {
-    return existing
-        ? mergeRuntimeValidationReport(tasks, existing)
-        : buildPlaceholderRuntimeValidationReport(tasks);
+async function runCommand(command, cwd) {
+    return await new Promise((resolve) => {
+        const child = spawn(command[0], command.slice(1), {
+            cwd,
+            env: process.env,
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        let stdout = "";
+        let stderr = "";
+        child.stdout.on("data", (chunk) => {
+            stdout += String(chunk);
+        });
+        child.stderr.on("data", (chunk) => {
+            stderr += String(chunk);
+        });
+        child.on("error", (error) => {
+            resolve({
+                status: "inconclusive",
+                summary: `Failed to execute ${command.join(" ")}: ${error.message}`,
+                evidence: [],
+            });
+        });
+        child.on("exit", (code) => {
+            const output = `${stdout}\n${stderr}`.trim();
+            const evidence = output.length > 0 ? output.split(/\r?\n/).slice(-10) : [];
+            resolve({
+                status: code === 0 ? "confirmed" : "not_confirmed",
+                summary: code === 0
+                    ? `Deterministic runtime command succeeded: ${command.join(" ")}`
+                    : `Deterministic runtime command failed with exit code ${code}: ${command.join(" ")}`,
+                evidence,
+            });
+        });
+    });
 }
 export async function runIntakeExecutor(bundle, root) {
     const ignore = await loadIgnoreFile(root);
@@ -54,8 +77,8 @@ export function runStructureExecutor(bundle) {
     const disposition = bundle.file_disposition ?? buildFileDisposition(bundle.repo_manifest);
     const unitManifest = buildUnitManifest(bundle.repo_manifest, disposition);
     const surfaceManifest = buildSurfaceManifest(bundle.repo_manifest, disposition);
-    const criticalFlows = buildCriticalFlowManifest(bundle.repo_manifest, surfaceManifest, disposition);
     const graphBundle = buildGraphBundle(bundle.repo_manifest, disposition);
+    const criticalFlows = buildCriticalFlowManifest(bundle.repo_manifest, surfaceManifest, disposition);
     const riskRegister = buildRiskRegister(unitManifest, criticalFlows, externalAnalyzerResults);
     return {
         updated: {
@@ -75,10 +98,13 @@ export function runStructureExecutor(bundle) {
             "critical_flows.json",
             "risk_register.json",
         ],
-        progress_summary: `Built structure artifacts for ${unitManifest.units.length} units and ${criticalFlows.flows.length} critical flows.`,
+        progress_summary: `Built structure artifacts for ${unitManifest.units.length} units and ${criticalFlows.flows.length} critical flows.` +
+            (criticalFlows.fallback_required
+                ? " Deterministic flow inference did not fully meet the confidence bar."
+                : ""),
     };
 }
-export function runPlanningExecutor(bundle, lineIndex = {}) {
+export async function runPlanningExecutor(bundle, root, lineIndex = {}) {
     if (!bundle.repo_manifest) {
         throw new Error("Cannot run planning executor without repo_manifest");
     }
@@ -91,16 +117,23 @@ export function runPlanningExecutor(bundle, lineIndex = {}) {
     }
     const externalAnalyzerResults = bundle.external_analyzer_results;
     const coverage = initializeCoverageFromPlan(bundle.repo_manifest, bundle.unit_manifest, bundle.file_disposition, externalAnalyzerResults);
-    const autoSkippedTrivialFiles = autoCompleteTrivialCoverage(coverage, lineIndex, externalAnalyzerResults);
+    const skippedTrivialPaths = autoCompleteTrivialCoverage(coverage, lineIndex, externalAnalyzerResults);
     const flowCoverage = buildFlowCoverage(bundle.critical_flows, coverage);
-    const runtimeValidationTasks = buildRuntimeValidationTasks(bundle.unit_manifest, bundle.critical_flows, flowCoverage);
-    const runtimeValidationReport = preserveOrPlaceholder(runtimeValidationTasks, bundle.runtime_validation_report);
-    const baseTasks = buildChunkedAuditTasks(bundle.unit_manifest, lineIndex, {
+    const runtimeCommand = await discoverRuntimeValidationCommand(root);
+    const runtimeValidationTasks = buildRuntimeValidationTasks({
+        unitManifest: bundle.unit_manifest,
+        criticalFlows: bundle.critical_flows,
+        flowCoverage,
+        command: runtimeCommand,
+    });
+    const runtimeValidationReport = runtimeValidationTasks.tasks.length > 0
+        ? mergeRuntimeValidationReport(runtimeValidationTasks, bundle.runtime_validation_report)
+        : undefined;
+    const auditTasks = buildChunkedAuditTasks(coverage, lineIndex, {
         external_analyzer_results: externalAnalyzerResults,
+        critical_flows: bundle.critical_flows,
     });
-    const analyzerTasks = buildExternalSignalTasks(coverage, lineIndex, externalAnalyzerResults);
-    const flowTasks = buildFlowAwareTaskAugmentations([...baseTasks, ...analyzerTasks], bundle.critical_flows, lineIndex);
-    const auditTasks = [...baseTasks, ...analyzerTasks, ...flowTasks].map((task) => ({
+    const taggedAuditTasks = auditTasks.map((task) => ({
         ...task,
         status: task.status ?? "pending",
     }));
@@ -112,24 +145,25 @@ export function runPlanningExecutor(bundle, lineIndex = {}) {
             flow_coverage: flowCoverage,
             runtime_validation_tasks: runtimeValidationTasks,
             runtime_validation_report: runtimeValidationReport,
-            audit_tasks: auditTasks,
+            audit_tasks: taggedAuditTasks,
             requeue_tasks: requeuePayload.tasks,
+            audit_report: undefined,
         },
         artifacts_written: [
             "coverage_matrix.json",
             "flow_coverage.json",
             "runtime_validation_tasks.json",
-            "runtime_validation_report.json",
+            ...(runtimeValidationReport ? ["runtime_validation_report.json"] : []),
             "audit_tasks.json",
             "requeue_tasks.json",
         ],
-        progress_summary: `Built planning artifacts; generated ${auditTasks.length} tasks and ${requeuePayload.task_count} requeue tasks.` +
-            (autoSkippedTrivialFiles.length > 0
-                ? ` Auto-completed ${autoSkippedTrivialFiles.length} trivial file${autoSkippedTrivialFiles.length === 1 ? "" : "s"} without dispatch.`
+        progress_summary: `Built planning artifacts; generated ${taggedAuditTasks.length} review blocks and ${requeuePayload.task_count} requeue tasks.` +
+            (skippedTrivialPaths.length > 0
+                ? ` Skipped ${skippedTrivialPaths.length} trivial path${skippedTrivialPaths.length === 1 ? "" : "s"} from semantic review.`
                 : "") +
-            (externalAnalyzerResults?.results.length
-                ? ` External analyzer signals influenced lenses and produced ${analyzerTasks.length} dedicated follow-up task(s).`
-                : ""),
+            (runtimeCommand
+                ? ` Runtime validation will use: ${runtimeCommand.join(" ")}.`
+                : " No deterministic runtime validation command was discovered."),
     };
 }
 export function runResultIngestionExecutor(bundle, results) {
@@ -140,84 +174,110 @@ export function runResultIngestionExecutor(bundle, results) {
     const flowCoverage = bundle.critical_flows
         ? buildFlowCoverage(bundle.critical_flows, updatedCoverageMatrix)
         : bundle.flow_coverage;
-    const runtimeValidationTasks = bundle.unit_manifest
-        ? buildRuntimeValidationTasks(bundle.unit_manifest, bundle.critical_flows, flowCoverage)
-        : bundle.runtime_validation_tasks;
-    const runtimeValidationReport = runtimeValidationTasks
-        ? preserveOrPlaceholder(runtimeValidationTasks, bundle.runtime_validation_report)
-        : bundle.runtime_validation_report;
     const requeuePayload = buildRequeuePayload(updatedCoverageMatrix, bundle.critical_flows, flowCoverage, bundle.external_analyzer_results);
     const mergedResults = [...(bundle.audit_results ?? []), ...results];
     const updatedAuditTasks = updateAuditTaskStatuses(bundle.audit_tasks, mergedResults);
-    const synthesisReport = buildSynthesisReport(mergedResults, runtimeValidationReport, bundle.external_analyzer_results);
-    const synthesisArtifacts = buildSynthesisArtifacts(synthesisReport);
     return {
         updated: {
             ...bundle,
             coverage_matrix: updatedCoverageMatrix,
             flow_coverage: flowCoverage,
-            runtime_validation_tasks: runtimeValidationTasks,
-            runtime_validation_report: runtimeValidationReport,
             audit_results: mergedResults,
             audit_tasks: updatedAuditTasks,
             requeue_tasks: requeuePayload.tasks,
-            ...synthesisArtifacts,
+            audit_report: undefined,
         },
         artifacts_written: [
             "coverage_matrix.json",
             "flow_coverage.json",
-            "runtime_validation_tasks.json",
-            "runtime_validation_report.json",
             "audit_results.jsonl",
             "audit_tasks.json",
             "requeue_tasks.json",
-            "merged_findings.json",
-            "root_cause_clusters.json",
-            "synthesis_report.json",
         ],
         progress_summary: `Ingested ${results.length} audit result entries and refreshed dependent artifacts.`,
     };
 }
+export async function runRuntimeValidationExecutor(bundle, root) {
+    if (!bundle.runtime_validation_tasks) {
+        throw new Error("Cannot execute runtime validation without runtime_validation_tasks");
+    }
+    const existing = bundle.runtime_validation_report ?? { results: [] };
+    const byTaskId = new Map(existing.results.map((result) => [result.task_id, result]));
+    const byCommand = new Map();
+    for (const task of bundle.runtime_validation_tasks.tasks) {
+        const prior = byTaskId.get(task.id);
+        if (prior &&
+            ["confirmed", "not_confirmed", "inconclusive", "not_required"].includes(prior.status)) {
+            continue;
+        }
+        if (!task.command || task.command.length === 0) {
+            byTaskId.set(task.id, {
+                task_id: task.id,
+                status: "not_required",
+                summary: `No deterministic runtime command was available for ${task.id}.`,
+                evidence: [],
+                notes: ["Runtime validation was not planned for this task."],
+            });
+            continue;
+        }
+        const signature = task.command.join("\0");
+        const outcome = byCommand.get(signature) ?? (await runCommand(task.command, root));
+        byCommand.set(signature, outcome);
+        byTaskId.set(task.id, {
+            task_id: task.id,
+            status: outcome.status,
+            summary: outcome.summary,
+            evidence: outcome.evidence,
+            notes: [`Target paths: ${task.target_paths.join(", ")}`],
+        });
+    }
+    return {
+        updated: {
+            ...bundle,
+            runtime_validation_report: {
+                results: [...byTaskId.values()].sort((a, b) => a.task_id.localeCompare(b.task_id)),
+            },
+            audit_report: undefined,
+        },
+        artifacts_written: ["runtime_validation_report.json"],
+        progress_summary: `Executed deterministic runtime validation for ${bundle.runtime_validation_tasks.tasks.length} task(s).`,
+    };
+}
 export function runRuntimeValidationUpdateExecutor(bundle, updates) {
     if (!bundle.runtime_validation_tasks) {
         throw new Error("Cannot update runtime validation without runtime_validation_tasks");
     }
-    const existingReport = bundle.runtime_validation_report ??
-        buildPlaceholderRuntimeValidationReport(bundle.runtime_validation_tasks);
+    const existingReport = bundle.runtime_validation_report ?? { results: [] };
     const mergedReport = updateRuntimeValidationReport(bundle.runtime_validation_tasks, existingReport, updates);
-    const synthesisReport = buildSynthesisReport(bundle.audit_results ?? [], mergedReport, bundle.external_analyzer_results);
-    const synthesisArtifacts = buildSynthesisArtifacts(synthesisReport);
     return {
         updated: {
             ...bundle,
             runtime_validation_report: mergedReport,
-            ...synthesisArtifacts,
+            audit_report: undefined,
         },
-        artifacts_written: [
-            "runtime_validation_report.json",
-            "merged_findings.json",
-            "root_cause_clusters.json",
-            "synthesis_report.json",
-        ],
+        artifacts_written: ["runtime_validation_report.json"],
         progress_summary: `Merged ${updates.results.length} runtime validation updates.`,
     };
 }
 export function runSynthesisExecutor(bundle, results) {
     const finalResults = results ?? bundle.audit_results ?? [];
-    const synthesisReport = buildSynthesisReport(finalResults, bundle.runtime_validation_report, bundle.external_analyzer_results);
-    const synthesisArtifacts = buildSynthesisArtifacts(synthesisReport);
+    const model = buildAuditReportModel({
+        results: finalResults,
+        unitManifest: bundle.unit_manifest,
+        graphBundle: bundle.graph_bundle,
+        criticalFlows: bundle.critical_flows,
+        coverageMatrix: bundle.coverage_matrix,
+        runtimeValidationReport: bundle.runtime_validation_report,
+        externalAnalyzerResults: bundle.external_analyzer_results,
+    });
     return {
         updated: {
             ...bundle,
             audit_results: finalResults,
-            ...synthesisArtifacts,
+            audit_report: renderAuditReportMarkdown(model),
         },
-        artifacts_written: [
-            "merged_findings.json",
-            "root_cause_clusters.json",
-            "synthesis_report.json",
-        ],
-        progress_summary: `Refreshed synthesis for ${finalResults.length} audit result entries.`,
+        artifacts_written: ["audit-report.md"],
+        progress_summary: `Rendered deterministic audit report for ${finalResults.length} audit result entries.`,
     };
 }
 export function runExternalAnalyzerImportExecutor(bundle, externalResults) {
@@ -226,6 +286,7 @@ export function runExternalAnalyzerImportExecutor(bundle, externalResults) {
         updated: {
             ...bundle,
             external_analyzer_results: externalResults,
+            audit_report: undefined,
         },
         artifacts_written: ["external_analyzer_results.json"],
         progress_summary: summary,

package/dist/orchestrator/planning.js

@@ -1,5 +1,6 @@
 import { applyUnitCoverage, createCoverageMatrix, markExcludedPath, } from "../coverage.js";
 import { isAuditExcludedStatus } from "../extractors/disposition.js";
+import { deriveRequiredLensesForPath } from "./unitBuilder.js";
 const CATEGORY_LENS_TABLE = [
     [["security", "secret"], ["security", "correctness"]],
     [["dependency", "vuln"], ["security", "config_deployment"]],
@@ -21,8 +22,17 @@ function applyAnalyzerCoverage(coverage, externalAnalyzerResults) {
     if (!externalAnalyzerResults) {
         return;
     }
-    for (const result of externalAnalyzerResults.results) {
-        const record = coverage.files.find((file) => file.path === result.path);
+    const coverageByPath = new Map(coverage.files.map((file) => [file.path, file]));
+    const results = Array.isArray(externalAnalyzerResults.results)
+        ? externalAnalyzerResults.results
+        : [];
+    for (const result of results) {
+        if (!result ||
+            typeof result.path !== "string" ||
+            typeof result.category !== "string") {
+            continue;
+        }
+        const record = coverageByPath.get(result.path);
         if (!record || record.audit_status === "excluded") {
             continue;
         }
@@ -44,9 +54,21 @@ export function initializeCoverageFromPlan(repoManifest, unitManifest, dispositi
             markExcludedPath(coverage, file.path, status);
         }
     }
+    const unitIdsByPath = new Map();
     for (const unit of unitManifest.units) {
         for (const path of unit.files) {
-            applyUnitCoverage(coverage, path, unit.unit_id, unit.required_lenses);
+            const existing = unitIdsByPath.get(path) ?? [];
+            if (!existing.includes(unit.unit_id)) {
+                existing.push(unit.unit_id);
+            }
+            unitIdsByPath.set(path, existing);
+        }
+    }
+    for (const file of repoManifest.files) {
+        const unitIds = unitIdsByPath.get(file.path) ?? [];
+        const requiredLenses = deriveRequiredLensesForPath(file.path);
+        for (const unitId of unitIds) {
+            applyUnitCoverage(coverage, file.path, unitId, requiredLenses);
         }
     }
     applyAnalyzerCoverage(coverage, externalAnalyzerResults);

package/dist/orchestrator/requeue.js

@@ -1,11 +1,26 @@
 import { buildRequeueTargets } from "../coverage.js";
-function taskPriority(hasExternalSignal) {
-    return hasExternalSignal ? "high" : "medium";
+function taskPriority(hasExternalSignal, lens) {
+    if (hasExternalSignal)
+        return "high";
+    if (lens === "security" || lens === "data_integrity" || lens === "reliability") {
+        return "medium";
+    }
+    return "low";
+}
+function getExternalSignalPaths(externalAnalyzerResults) {
+    const results = Array.isArray(externalAnalyzerResults?.results)
+        ? externalAnalyzerResults.results
+        : [];
+    return new Set(results
+        .map((item) => item && typeof item.path === "string" && item.path.length > 0
+        ? item.path
+        : null)
+        .filter((path) => path !== null));
 }
 export function buildRequeueTasks(matrix, externalAnalyzerResults) {
     const targets = buildRequeueTargets(matrix);
     const tasks = [];
-    const externalPaths = new Set((externalAnalyzerResults?.results ?? []).map((item) => item.path));
+    const externalPaths = getExternalSignalPaths(externalAnalyzerResults);
     for (const target of targets) {
         for (const lens of target.missing_lenses) {
             const hasExternalSignal = externalPaths.has(target.path);
@@ -15,8 +30,8 @@ export function buildRequeueTasks(matrix, externalAnalyzerResults) {
                 pass_id: `requeue:${lens}`,
                 lens,
                 file_paths: [target.path],
-                rationale: `Requeue ${target.path} because the ${lens} lens is still missing.${hasExternalSignal ? " External analyzer signals make this follow-up higher priority." : ""}`,
-                priority: taskPriority(hasExternalSignal),
+                rationale: `Mandatory audit coverage is still missing for ${target.path} under the ${lens} lens.`,
+                priority: taskPriority(hasExternalSignal, lens),
                 tags: hasExternalSignal ? ["external_analyzer_signal"] : [],
                 status: "pending",
             });

package/dist/orchestrator/resultIngestion.js

@@ -1,15 +1,14 @@
-import { applyReviewedRanges } from "../coverage.js";
+import { applyFileCoverage } from "../coverage.js";
 export function ingestAuditResults(coverageMatrix, results) {
     const matrix = JSON.parse(JSON.stringify(coverageMatrix));
-    const reviewedRanges = results.flatMap((result) => result.reviewed_ranges.map((range) => ({
-        path: range.path,
-        start: range.start,
-        end: range.end,
+    const fileCoverage = results.flatMap((result) => result.file_coverage.map((coverage) => ({
+        path: coverage.path,
+        total_lines: coverage.total_lines,
         pass_id: result.pass_id,
         lens: result.lens,
         agent_role: result.agent_role,
     })));
-    applyReviewedRanges(matrix, reviewedRanges);
+    applyFileCoverage(matrix, fileCoverage);
     return matrix;
 }
 export function updateAuditTaskStatuses(tasks, results) {

package/dist/orchestrator/runtimeValidation.d.ts

@@ -2,6 +2,11 @@ import type { UnitManifest } from "../types.js";
 import type { FlowCoverageManifest } from "../types/flowCoverage.js";
 import type { CriticalFlowManifest } from "../types/flows.js";
 import type { RuntimeValidationReport, RuntimeValidationTaskManifest } from "../types/runtimeValidation.js";
-export declare function buildRuntimeValidationTasks(unitManifest: UnitManifest, criticalFlows?: CriticalFlowManifest, flowCoverage?: FlowCoverageManifest): RuntimeValidationTaskManifest;
-export declare function buildPlaceholderRuntimeValidationReport(tasks: RuntimeValidationTaskManifest): RuntimeValidationReport;
+export declare function discoverRuntimeValidationCommand(root: string): Promise<string[] | undefined>;
+export declare function buildRuntimeValidationTasks(params: {
+    unitManifest: UnitManifest;
+    criticalFlows?: CriticalFlowManifest;
+    flowCoverage?: FlowCoverageManifest;
+    command?: string[];
+}): RuntimeValidationTaskManifest;
 export declare function mergeRuntimeValidationReport(tasks: RuntimeValidationTaskManifest, existing?: RuntimeValidationReport): RuntimeValidationReport;

package/dist/orchestrator/runtimeValidation.js

@@ -1,23 +1,59 @@
+import { access, readFile } from "node:fs/promises";
 function checksForFlow(requiredLenses) {
     const checks = [];
     if (requiredLenses.includes("security")) {
         checks.push("Exercise malformed or unauthorized inputs against the flow.");
     }
     if (requiredLenses.includes("reliability")) {
-        checks.push("Exercise retries, repeated submissions, or partial failure behavior.");
+        checks.push("Exercise retries or repeated submissions.");
     }
     if (requiredLenses.includes("correctness")) {
-        checks.push("Exercise representative success and edge-case paths end to end.");
+        checks.push("Exercise representative success and edge-case behavior.");
     }
     if (requiredLenses.includes("data_integrity")) {
-        checks.push("Verify state transitions and persistence invariants after execution.");
+        checks.push("Verify state transitions and persistence invariants.");
     }
     return checks;
 }
-export function buildRuntimeValidationTasks(unitManifest, criticalFlows, flowCoverage) {
+async function exists(path) {
+    try {
+        await access(path);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export async function discoverRuntimeValidationCommand(root) {
+    const packageJsonPath = `${root}/package.json`;
+    if (await exists(packageJsonPath)) {
+        try {
+            const packageJson = JSON.parse(await readFile(packageJsonPath, "utf8"));
+            const testScript = packageJson.scripts?.test?.trim();
+            if (testScript &&
+                !/no test specified/i.test(testScript)) {
+                return ["npm", "test"];
+            }
+        }
+        catch {
+            // ignore unreadable package.json for runtime discovery
+        }
+    }
+    if (await exists(`${root}/go.mod`)) {
+        return ["go", "test", "./..."];
+    }
+    if (await exists(`${root}/pyproject.toml`) || await exists(`${root}/pytest.ini`)) {
+        return ["python", "-m", "pytest"];
+    }
+    return undefined;
+}
+export function buildRuntimeValidationTasks(params) {
+    if (!params.command) {
+        return { tasks: [] };
+    }
     const tasks = [];
     const seen = new Set();
-    const highRiskUnits = unitManifest.units.filter((unit) => (unit.risk_score ?? 0) >= 5 ||
+    const highRiskUnits = params.unitManifest.units.filter((unit) => (unit.risk_score ?? 0) >= 5 ||
         unit.required_lenses.includes("security") ||
         unit.required_lenses.includes("data_integrity"));
     for (const unit of highRiskUnits) {
@@ -31,16 +67,17 @@ export function buildRuntimeValidationTasks(unitManifest, criticalFlows, flowCov
             target_paths: unit.files,
             reason: `Unit ${unit.unit_id} is high risk or touches sensitive concerns.`,
             priority: (unit.risk_score ?? 0) >= 7 ? "high" : "medium",
+            command: params.command,
             suggested_checks: [
-                "Run representative happy-path execution.",
-                "Run malformed-input or failure-path execution where feasible.",
+                "Run the deterministic runtime command for the repository.",
+                "Confirm the affected unit does not regress under the command output.",
             ],
             source_artifacts: ["unit_manifest.json", "risk_register.json"],
         });
     }
-    if (criticalFlows && flowCoverage) {
-        const flowMap = new Map(criticalFlows.flows.map((flow) => [flow.id, flow]));
-        for (const record of flowCoverage.flows) {
+    if (params.criticalFlows && params.flowCoverage) {
+        const flowMap = new Map(params.criticalFlows.flows.map((flow) => [flow.id, flow]));
+        for (const record of params.flowCoverage.flows) {
             if (record.status === "complete") {
                 continue;
             }
@@ -56,53 +93,28 @@ export function buildRuntimeValidationTasks(unitManifest, criticalFlows, flowCov
                 id,
                 kind: "critical-flow-check",
                 target_paths: flow.paths,
-                reason: `Critical flow ${record.flow_id} is still ${record.status} and should receive runtime validation.`,
+                reason: `Critical flow ${record.flow_id} is still ${record.status} and needs deterministic runtime validation.`,
                 priority: record.status === "pending" ? "high" : "medium",
+                command: params.command,
                 suggested_checks: checksForFlow(record.required_lenses),
                 source_artifacts: ["critical_flows.json", "flow_coverage.json"],
             });
         }
     }
-    const RUNTIME_TASK_CAP = 100;
-    if (tasks.length > RUNTIME_TASK_CAP) {
-        process.stderr.write(`[runtime-validation] generated ${tasks.length} tasks which exceeds the cap of ${RUNTIME_TASK_CAP}; truncating to avoid runaway expansion\n`);
-        tasks.splice(RUNTIME_TASK_CAP);
-    }
     return { tasks };
 }
-export function buildPlaceholderRuntimeValidationReport(tasks) {
-    return {
-        results: tasks.tasks.map((task) => ({
-            task_id: task.id,
-            status: "pending",
-            summary: `No runtime evidence recorded yet for ${task.id}.`,
-            evidence: [],
-            notes: ["Placeholder entry generated from runtime validation task list."],
-        })),
-    };
-}
 export function mergeRuntimeValidationReport(tasks, existing) {
     const existingMap = new Map((existing?.results ?? []).map((result) => [result.task_id, result]));
-    const mergedResults = tasks.tasks.map((task) => {
-        const prior = existingMap.get(task.id);
-        if (prior) {
-            return {
-                ...prior,
-                notes: [
-                    ...new Set([
-                        ...(prior.notes ?? []),
-                        "Preserved across runtime validation refresh.",
-                    ]),
-                ],
-            };
-        }
-        return {
-            task_id: task.id,
-            status: "pending",
-            summary: `No runtime evidence recorded yet for ${task.id}.`,
-            evidence: [],
-            notes: ["Placeholder entry generated from runtime validation task list."],
-        };
-    });
-    return { results: mergedResults };
+    return {
+        results: tasks.tasks.map((task) => {
+            const prior = existingMap.get(task.id);
+            return (prior ?? {
+                task_id: task.id,
+                status: "pending",
+                summary: `Deterministic runtime validation has not executed yet for ${task.id}.`,
+                evidence: [],
+                notes: [],
+            });
+        }),
+    };
 }

package/dist/orchestrator/runtimeValidationUpdate.js

@@ -38,11 +38,9 @@ export function updateRuntimeValidationReport(tasks, existing, updates) {
             merged.set(task.id, {
                 task_id: task.id,
                 status: "pending",
-                summary: `No runtime evidence recorded yet for ${task.id}.`,
+                summary: `Deterministic runtime validation has not executed yet for ${task.id}.`,
                 evidence: [],
-                notes: [
-                    "Placeholder entry generated from runtime validation task list.",
-                ],
+                notes: [],
             });
         }
     }