auditor-lambda 0.2.8 → 0.2.10

package/dist/orchestrator/taskBuilder.js

@@ -1,5 +1,12 @@
+import { claimFlowReviewBlocks } from "./flowPlanning.js";
 import { isTrivialAuditPath } from "./trivialAudit.js";
-function taskPriority(hasExternalSignal, lens) {
+import { LENS_ORDER } from "./unitBuilder.js";
+function taskPriority(hasExternalSignal, lens, isCriticalFlow = false) {
+    if (isCriticalFlow) {
+        return lens === "security" || lens === "reliability" || lens === "correctness"
+            ? "high"
+            : "medium";
+    }
     if (hasExternalSignal &&
         (lens === "security" || lens === "data_integrity" || lens === "reliability")) {
         return "high";
@@ -39,68 +46,161 @@ function pickAnalyzerLens(category) {
     return "correctness";
 }
 const DEFAULT_FILE_SPLIT_THRESHOLD = 3000;
-export function buildChunkedAuditTasks(unitManifest, unitLineIndex, options = {}) {
+function buildCoverageIndex(coverageMatrix) {
+    return new Map(coverageMatrix.files.map((file) => [file.path, file]));
+}
+function getExternalSignalPaths(externalAnalyzerResults) {
+    const results = Array.isArray(externalAnalyzerResults?.results)
+        ? externalAnalyzerResults.results
+        : [];
+    return new Set(results
+        .map((item) => item && typeof item.path === "string" && item.path.length > 0
+        ? item.path
+        : null)
+        .filter((path) => path !== null));
+}
+function getExternalSignalResults(externalAnalyzerResults) {
+    if (!Array.isArray(externalAnalyzerResults?.results)) {
+        return [];
+    }
+    return externalAnalyzerResults.results.filter((item) => Boolean(item) &&
+        typeof item.path === "string" &&
+        typeof item.category === "string" &&
+        typeof item.summary === "string" &&
+        typeof item.id === "string");
+}
+export function buildChunkedAuditTasks(coverageMatrix, unitLineIndex, options = {}) {
     const fileSplitThreshold = options.file_split_threshold ?? DEFAULT_FILE_SPLIT_THRESHOLD;
     const allowed = new Set(options.limit_lenses ?? []);
     const enforceLensFilter = allowed.size > 0;
     const tasks = [];
     const seen = new Set();
-    const externalPaths = new Set((options.external_analyzer_results?.results ?? []).map((item) => item.path));
-    for (const unit of unitManifest.units) {
-        const minimumLenses = ["correctness", "security"];
-        const lensesToRun = Array.isArray(unit.required_lenses) && unit.required_lenses.length >= 2
-            ? unit.required_lenses
-            : minimumLenses;
-        for (const lens of lensesToRun) {
+    const externalPaths = getExternalSignalPaths(options.external_analyzer_results);
+    const coverageByPath = new Map(coverageMatrix.files.map((file) => [file.path, file]));
+    const pendingByLens = new Map();
+    for (const file of coverageMatrix.files) {
+        if (file.audit_status === "excluded") {
+            continue;
+        }
+        for (const lens of file.required_lenses) {
+            if (file.completed_lenses.includes(lens)) {
+                continue;
+            }
             if (enforceLensFilter && !allowed.has(lens)) {
                 continue;
             }
-            const hasExternalSignal = unit.files.some((f) => externalPaths.has(f));
-            const priority = taskPriority(hasExternalSignal, lens);
-            const tags = hasExternalSignal ? ["external_analyzer_signal"] : [];
-            const candidateFiles = unit.files.filter((filePath) => !isTrivialAuditPath(filePath, unitLineIndex[filePath] ?? 0, externalPaths.has(filePath)));
-            // Split files that are individually too large to group; everything else
-            // goes into one task so the agent can reason across file boundaries.
-            const oversizedFiles = fileSplitThreshold > 0
-                ? candidateFiles.filter((f) => (unitLineIndex[f] ?? 0) > fileSplitThreshold)
-                : [];
-            const normalFiles = candidateFiles.filter((f) => !oversizedFiles.includes(f));
-            // One task for all normal-sized files in this unit under this lens.
-            if (normalFiles.length > 0) {
-                const id = `${unit.unit_id}:${lens}`;
-                if (!seen.has(id)) {
-                    seen.add(id);
-                    tasks.push({
-                        task_id: id,
-                        unit_id: unit.unit_id,
-                        pass_id: `pass:${lens}`,
-                        lens,
-                        file_paths: normalFiles,
-                        rationale: `Audit ${unit.unit_id} (${normalFiles.length} file${normalFiles.length === 1 ? "" : "s"}) under the ${lens} lens.${hasExternalSignal ? " External analyzer signals raise priority." : ""}`,
-                        priority,
-                        tags,
-                    });
-                }
+            if (isTrivialAuditPath(file.path, unitLineIndex[file.path] ?? 0, externalPaths.has(file.path))) {
+                continue;
             }
-            // Oversized files each get their own task so the agent isn't overwhelmed.
-            for (const filePath of oversizedFiles) {
-                const id = `${unit.unit_id}:${lens}:${filePath}`;
-                if (seen.has(id))
-                    continue;
-                seen.add(id);
-                const fileHasSignal = externalPaths.has(filePath);
+            const pending = pendingByLens.get(lens) ?? new Set();
+            pending.add(file.path);
+            pendingByLens.set(lens, pending);
+        }
+    }
+    function addTaskBlock(params) {
+        const oversizedFiles = fileSplitThreshold > 0
+            ? params.filePaths.filter((path) => (unitLineIndex[path] ?? 0) > fileSplitThreshold)
+            : [];
+        const oversizedSet = new Set(oversizedFiles);
+        const normalFiles = params.filePaths.filter((path) => !oversizedSet.has(path));
+        if (normalFiles.length > 0) {
+            const taskId = `${params.scopeId}:${params.lens}`;
+            if (!seen.has(taskId)) {
+                seen.add(taskId);
                 tasks.push({
-                    task_id: id,
-                    unit_id: unit.unit_id,
-                    pass_id: `pass:${lens}`,
-                    lens,
-                    file_paths: [filePath],
-                    rationale: `Audit ${filePath} (large file, split from unit) under the ${lens} lens.${fileHasSignal ? " External analyzer signals raise priority." : ""}`,
-                    priority: taskPriority(fileHasSignal, lens),
-                    tags: fileHasSignal ? ["external_analyzer_signal", "large_file"] : ["large_file"],
+                    task_id: taskId,
+                    unit_id: params.unitId,
+                    pass_id: params.passId,
+                    lens: params.lens,
+                    file_paths: normalFiles,
+                    rationale: params.rationale(normalFiles, false),
+                    priority: params.priority,
+                    tags: params.tags.length > 0 ? params.tags : undefined,
                 });
             }
         }
+        for (const filePath of oversizedFiles) {
+            const taskId = `${params.scopeId}:${params.lens}:${filePath}`;
+            if (seen.has(taskId)) {
+                continue;
+            }
+            seen.add(taskId);
+            tasks.push({
+                task_id: taskId,
+                unit_id: params.unitId,
+                pass_id: params.passId,
+                lens: params.lens,
+                file_paths: [filePath],
+                rationale: params.rationale([filePath], true),
+                priority: params.priority,
+                tags: params.tags.length > 0
+                    ? [...new Set([...params.tags, "large_file"])]
+                    : ["large_file"],
+            });
+        }
+    }
+    const assigned = new Set();
+    const flowBlocks = options.critical_flows
+        ? claimFlowReviewBlocks(options.critical_flows, pendingByLens, assigned)
+        : [];
+    for (const block of flowBlocks) {
+        const hasExternalSignal = block.file_paths.some((path) => externalPaths.has(path));
+        addTaskBlock({
+            scopeId: `flow:${block.flow_id}`,
+            unitId: `flow:${block.flow_id}`,
+            passId: `flow-pass:${block.lens}`,
+            lens: block.lens,
+            filePaths: block.file_paths,
+            priority: taskPriority(hasExternalSignal, block.lens, true),
+            tags: hasExternalSignal
+                ? ["critical_flow", `critical_flow:${block.flow_id}`, "external_analyzer_signal"]
+                : ["critical_flow", `critical_flow:${block.flow_id}`],
+            rationale: (filePaths, splitFromBlock) => splitFromBlock
+                ? `Audit ${filePaths[0]} (large file from critical flow ${block.flow_id}) under the ${block.lens} lens.${hasExternalSignal ? " External analyzer signals raise priority." : ""}`
+                : `Audit critical flow ${block.flow_id} (${filePaths.length} file${filePaths.length === 1 ? "" : "s"}) under the ${block.lens} lens.${hasExternalSignal ? " External analyzer signals raise priority." : ""}`,
+        });
+    }
+    const groupedRemainders = new Map();
+    for (const lens of LENS_ORDER) {
+        const pendingPaths = pendingByLens.get(lens);
+        if (!pendingPaths || pendingPaths.size === 0) {
+            continue;
+        }
+        for (const path of [...pendingPaths].sort((a, b) => a.localeCompare(b))) {
+            if (assigned.has(`${lens}:${path}`)) {
+                continue;
+            }
+            const record = coverageByPath.get(path);
+            const unitId = record?.unit_ids[0] ?? `review:${path.replace(/[^a-zA-Z0-9_-]/g, "-")}`;
+            const key = `${lens}|${unitId}`;
+            const current = groupedRemainders.get(key) ?? {
+                lens,
+                unitId,
+                filePaths: [],
+            };
+            current.filePaths.push(path);
+            groupedRemainders.set(key, current);
+        }
+    }
+    for (const block of [...groupedRemainders.values()].sort((a, b) => {
+        const lensDelta = LENS_ORDER.indexOf(a.lens) - LENS_ORDER.indexOf(b.lens);
+        if (lensDelta !== 0)
+            return lensDelta;
+        return a.unitId.localeCompare(b.unitId);
+    })) {
+        const hasExternalSignal = block.filePaths.some((path) => externalPaths.has(path));
+        addTaskBlock({
+            scopeId: block.unitId,
+            unitId: block.unitId,
+            passId: `pass:${block.lens}`,
+            lens: block.lens,
+            filePaths: block.filePaths,
+            priority: taskPriority(hasExternalSignal, block.lens),
+            tags: hasExternalSignal ? ["external_analyzer_signal"] : [],
+            rationale: (filePaths, splitFromBlock) => splitFromBlock
+                ? `Audit ${filePaths[0]} (large file split from ${block.unitId}) under the ${block.lens} lens.${hasExternalSignal ? " External analyzer signals raise priority." : ""}`
+                : `Audit ${block.unitId} (${filePaths.length} file${filePaths.length === 1 ? "" : "s"}) under the ${block.lens} lens.${hasExternalSignal ? " External analyzer signals raise priority." : ""}`,
+        });
     }
     return tasks.sort((a, b) => {
         const priorityDelta = priorityRank(b.priority) - priorityRank(a.priority);
@@ -119,12 +219,13 @@ export function buildExternalSignalTasks(coverageMatrix, _unitLineIndex, externa
     }
     const tasks = [];
     const seen = new Set();
-    for (const result of externalAnalyzerResults.results) {
+    const coverageByPath = buildCoverageIndex(coverageMatrix);
+    for (const result of getExternalSignalResults(externalAnalyzerResults)) {
         const safeCategory = sanitizeField(result.category, 80);
         const safePath = sanitizeField(result.path ?? "", 260);
         const safeSummary = sanitizeField(result.summary ?? "", 200);
         const lens = pickAnalyzerLens(safeCategory);
-        const coverage = coverageMatrix.files.find((file) => file.path === result.path);
+        const coverage = coverageByPath.get(result.path);
         if (!coverage || coverage.audit_status === "excluded") {
             continue;
         }

package/dist/orchestrator/unitBuilder.d.ts

@@ -1,3 +1,5 @@
-import type { RepoManifest, UnitManifest } from "../types.js";
+import type { Lens, RepoManifest, UnitManifest } from "../types.js";
 import type { FileDisposition } from "../types/disposition.js";
+export declare const LENS_ORDER: Lens[];
+export declare function deriveRequiredLensesForPath(path: string): Lens[];
 export declare function buildUnitManifest(repoManifest: RepoManifest, disposition?: FileDisposition): UnitManifest;

package/dist/orchestrator/unitBuilder.js

@@ -60,20 +60,30 @@ function inferUnitId(path, kind) {
     }
     return `${kind}-${path.replace(/[^a-zA-Z0-9_-]/g, "-")}`;
 }
+export const LENS_ORDER = [
+    "security",
+    "correctness",
+    "reliability",
+    "data_integrity",
+    "performance",
+    "operability",
+    "config_deployment",
+    "maintainability",
+    "tests",
+];
 function sortLenses(lenses) {
-    const order = [
-        "security",
-        "correctness",
-        "reliability",
-        "data_integrity",
-        "performance",
-        "operability",
-        "config_deployment",
-        "maintainability",
-        "tests",
-    ];
     const set = new Set(lenses);
-    return order.filter((lens) => set.has(lens));
+    return LENS_ORDER.filter((lens) => set.has(lens));
+}
+export function deriveRequiredLensesForPath(path) {
+    const assignment = bucketFile(path);
+    const required = new Set();
+    for (const bucket of assignment.buckets) {
+        for (const lens of LENS_MAP[bucket]) {
+            required.add(lens);
+        }
+    }
+    return sortLenses(required);
 }
 function inferCriticalFlows(files, requiredLenses) {
     const flows = new Set();
@@ -123,10 +133,8 @@ export function buildUnitManifest(repoManifest, disposition) {
         }
         const assignment = bucketFile(file.path);
         const required = new Set(existing.required_lenses);
-        for (const bucket of assignment.buckets) {
-            for (const lens of LENS_MAP[bucket]) {
-                required.add(lens);
-            }
+        for (const lens of deriveRequiredLensesForPath(file.path)) {
+            required.add(lens);
         }
         existing.required_lenses = sortLenses(required);
         const riskScore = new Set(assignment.buckets).size +

package/dist/prompts/renderWorkerPrompt.d.ts

@@ -1,2 +1,2 @@
-import type { WorkerTask } from "../types/workerSession.js";
+import { type WorkerTask } from "../types/workerSession.js";
 export declare function renderWorkerPrompt(task: WorkerTask): string;

package/dist/prompts/renderWorkerPrompt.js

@@ -1,8 +1,9 @@
-function shellQuote(arg) {
-    return JSON.stringify(arg);
+import { usesDeferredWorkerCommand, } from "../types/workerSession.js";
+function renderArgv(task) {
+    return JSON.stringify(task.worker_command);
 }
 export function renderWorkerPrompt(task) {
-    const command = task.worker_command.map(shellQuote).join(" ");
+    const commandArgv = renderArgv(task);
     if (task.preferred_executor === "agent" && task.audit_results_path) {
         const tasksPath = task.pending_audit_tasks_path ??
             `${task.artifacts_dir}/audit_tasks.json`;
@@ -29,14 +30,17 @@ export function renderWorkerPrompt(task) {
             "       Example evidence entry: src/foo.ts:42 - variable overwritten before use",
             "     Optional finding fields: impact, likelihood, reproduction, systemic, related_findings",
             "     Low-priority tasks still require a real review. Use findings: [] only when you genuinely found nothing notable.",
+            task.timeout_ms
+                ? `     Time budget for this task: ${task.timeout_ms} ms.`
+                : "     Keep the task bounded to the assigned files only.",
             `Reference schema: ${task.artifacts_dir}/dispatch/audit-result.schema.json`,
             `Write the AuditResult[] JSON array to: ${task.audit_results_path}`,
         ];
-        if (task.skip_worker_command) {
-            lines.push("", "Stop after writing the results file.");
+        if (usesDeferredWorkerCommand(task)) {
+            lines.push("", "This run is using deferred worker-command ingestion.", "Do not execute worker_command in this session.", "Stop after writing the results file.");
         }
         else {
-            lines.push("", "Then run this command exactly:", command, "Stop after the command completes.");
+            lines.push("", "Then execute the worker_command array from task.json exactly as written.", "Preserve argv boundaries instead of reconstructing shell quoting.", `worker_command argv JSON: ${commandArgv}`, "Stop after the command completes.");
         }
         return lines.join("\n");
     }
@@ -46,10 +50,14 @@ export function renderWorkerPrompt(task) {
         `Repository root: ${task.repo_root}`,
         `Obligation: ${task.obligation_id ?? "unknown"}`,
         `Executor: ${task.preferred_executor}`,
-        "Execute the following command exactly, without modification:",
-        command,
+        "Execute the worker_command array from task.json exactly as written.",
+        "Preserve argv boundaries instead of reconstructing shell quoting.",
+        `worker_command argv JSON: ${commandArgv}`,
         "Do not continue the audit recursively.",
         "Do not choose another task.",
+        task.timeout_ms
+            ? `The worker command is budgeted for ${task.timeout_ms} ms.`
+            : "If the command hangs or fails, stop and let the supervisor handle it.",
         `The command must write the worker result JSON to: ${task.result_path}`,
         "After the command completes, stop.",
     ].join("\n");

package/dist/providers/claudeCodeProvider.d.ts

@@ -1,8 +1,11 @@
 import type { FreshSessionProvider, LaunchFreshSessionInput } from "./types.js";
 import type { ClaudeCodeConfig } from "../types/sessionConfig.js";
+import { spawnLoggedCommand } from "./spawnLoggedCommand.js";
+export declare const ACTIVE_CLAUDE_CODE_SESSION_MESSAGE: string;
 export declare class ClaudeCodeProvider implements FreshSessionProvider {
     name: string;
     private readonly config;
-    constructor(config?: ClaudeCodeConfig);
+    private readonly launchCommand;
+    constructor(config?: ClaudeCodeConfig, launchCommand?: typeof spawnLoggedCommand);
     launch(input: LaunchFreshSessionInput): Promise<import("./types.js").LaunchFreshSessionResult>;
 }

package/dist/providers/claudeCodeProvider.js

@@ -1,16 +1,19 @@
 import { readFile } from "node:fs/promises";
 import { spawnLoggedCommand } from "./spawnLoggedCommand.js";
+export const ACTIVE_CLAUDE_CODE_SESSION_MESSAGE = "claude-code provider cannot be used inside an active Claude Code session. " +
+    'Set provider to "local-subprocess" in .audit-artifacts/session-config.json, ' +
+    "then run /audit-code conversationally and follow the dispatch prompts manually.";
 export class ClaudeCodeProvider {
     name = "claude-code";
     config;
-    constructor(config = {}) {
+    launchCommand;
+    constructor(config = {}, launchCommand = spawnLoggedCommand) {
         this.config = config;
+        this.launchCommand = launchCommand;
     }
     async launch(input) {
         if (process.env.CLAUDECODE) {
-            throw new Error("claude-code provider cannot be used inside an active Claude Code session. " +
-                "Set provider to \"local-subprocess\" in .audit-artifacts/session-config.json, " +
-                "then run /audit-code conversationally and follow the dispatch prompts manually.");
+            throw new Error(ACTIVE_CLAUDE_CODE_SESSION_MESSAGE);
         }
         const prompt = await readFile(input.promptPath, "utf8");
         const command = this.config.command ?? "claude";
@@ -20,6 +23,6 @@ export class ClaudeCodeProvider {
             ...(this.config.extra_args ?? []),
             "--dangerously-skip-permissions",
         ];
-        return await spawnLoggedCommand(command, args, input);
+        return await this.launchCommand(command, args, input);
     }
 }

package/dist/providers/localSubprocessProvider.d.ts

@@ -1,5 +1,9 @@
 import type { FreshSessionProvider, LaunchFreshSessionInput } from "./types.js";
+import { spawnLoggedCommand } from "./spawnLoggedCommand.js";
+export declare const MISSING_WORKER_COMMAND_MESSAGE = "local-subprocess provider requires task.worker_command.";
 export declare class LocalSubprocessProvider implements FreshSessionProvider {
     name: string;
+    private readonly launchCommand;
+    constructor(launchCommand?: typeof spawnLoggedCommand);
     launch(input: LaunchFreshSessionInput): Promise<import("./types.js").LaunchFreshSessionResult>;
 }

package/dist/providers/localSubprocessProvider.js

@@ -1,13 +1,18 @@
 import { readJsonFile } from "../io/json.js";
 import { spawnLoggedCommand } from "./spawnLoggedCommand.js";
+export const MISSING_WORKER_COMMAND_MESSAGE = "local-subprocess provider requires task.worker_command.";
 export class LocalSubprocessProvider {
     name = "local-subprocess";
+    launchCommand;
+    constructor(launchCommand = spawnLoggedCommand) {
+        this.launchCommand = launchCommand;
+    }
     async launch(input) {
         const task = await readJsonFile(input.taskPath);
         if (!task.worker_command.length) {
-            throw new Error("local-subprocess provider requires task.worker_command.");
+            throw new Error(MISSING_WORKER_COMMAND_MESSAGE);
         }
         const [command, ...args] = task.worker_command;
-        return await spawnLoggedCommand(command, args, input);
+        return await this.launchCommand(command, args, input);
     }
 }

package/dist/providers/spawnLoggedCommand.d.ts

@@ -1,2 +1,10 @@
+import { createWriteStream } from "node:fs";
+import { spawn } from "node:child_process";
 import type { LaunchFreshSessionInput, LaunchFreshSessionResult } from "./types.js";
-export declare function spawnLoggedCommand(command: string, args: string[], input: LaunchFreshSessionInput, env?: Record<string, string>): Promise<LaunchFreshSessionResult>;
+interface SpawnLoggedCommandOptions {
+    createWriteStream?: typeof createWriteStream;
+    spawn?: typeof spawn;
+    killGraceMs?: number;
+}
+export declare function spawnLoggedCommand(command: string, args: string[], input: LaunchFreshSessionInput, env?: Record<string, string>, options?: SpawnLoggedCommandOptions): Promise<LaunchFreshSessionResult>;
+export {};

package/dist/providers/spawnLoggedCommand.js

@@ -1,5 +1,8 @@
 import { createWriteStream } from "node:fs";
 import { spawn } from "node:child_process";
+const TERMINATION_SIGNAL = "SIGTERM";
+const FORCE_KILL_SIGNAL = "SIGKILL";
+const FORCE_KILL_GRACE_MS = 1_000;
 function tee(write, chunk) {
     write.write(chunk);
 }
@@ -7,22 +10,77 @@ function tee(write, chunk) {
 // does not consult PATH for executables without a shell. Callers should use
 // `platformCommand()` (scripts/smoke-packaged-audit-code.mjs) or similar to
 // supply the correct command form for the host OS.
-export async function spawnLoggedCommand(command, args, input, env) {
+export async function spawnLoggedCommand(command, args, input, env, options = {}) {
+    const openWriteStream = options.createWriteStream ?? createWriteStream;
+    const spawnProcess = options.spawn ?? spawn;
+    const killGraceMs = options.killGraceMs ?? FORCE_KILL_GRACE_MS;
     return await new Promise((resolve, reject) => {
-        const stdoutLog = createWriteStream(input.stdoutPath, { flags: "a" });
-        const stderrLog = createWriteStream(input.stderrPath, { flags: "a" });
+        const stdoutLog = openWriteStream(input.stdoutPath, { flags: "a" });
+        const stderrLog = openWriteStream(input.stderrPath, { flags: "a" });
         const startedAt = Date.now();
         let timedOut = false;
-        const child = spawn(command, args, {
-            cwd: input.repoRoot,
-            env: { ...process.env, ...env },
-            stdio: ["ignore", "pipe", "pipe"],
-        });
-        const timer = setTimeout(() => {
+        let settled = false;
+        let child = null;
+        let timer;
+        let heartbeat;
+        let forceKillTimer;
+        const cleanup = () => {
+            if (timer) {
+                clearTimeout(timer);
+            }
+            if (heartbeat) {
+                clearInterval(heartbeat);
+            }
+            if (forceKillTimer) {
+                clearTimeout(forceKillTimer);
+            }
+            stdoutLog.end();
+            stderrLog.end();
+        };
+        const settle = (callback) => {
+            if (settled) {
+                return;
+            }
+            settled = true;
+            cleanup();
+            callback();
+        };
+        const fail = (error) => {
+            if (child && !child.killed) {
+                child.kill(FORCE_KILL_SIGNAL);
+            }
+            const normalized = error instanceof Error ? error : new Error(String(error));
+            settle(() => reject(normalized));
+        };
+        stdoutLog.on("error", fail);
+        stderrLog.on("error", fail);
+        let spawnedChild;
+        try {
+            spawnedChild = spawnProcess(command, args, {
+                cwd: input.repoRoot,
+                env: { ...process.env, ...env },
+                stdio: ["ignore", "pipe", "pipe"],
+            });
+            child = spawnedChild;
+        }
+        catch (error) {
+            fail(error);
+            return;
+        }
+        if (!spawnedChild.stdout || !spawnedChild.stderr) {
+            fail(new Error(`Fresh session spawn for run ${input.runId} did not provide pipe-backed stdout/stderr streams.`));
+            return;
+        }
+        timer = setTimeout(() => {
             timedOut = true;
-            child.kill("SIGTERM");
+            spawnedChild.kill(TERMINATION_SIGNAL);
+            forceKillTimer = setTimeout(() => {
+                if (!settled) {
+                    spawnedChild.kill(FORCE_KILL_SIGNAL);
+                }
+            }, killGraceMs);
         }, input.timeoutMs);
-        const heartbeat = setInterval(() => {
+        heartbeat = setInterval(() => {
             const elapsedMs = Date.now() - startedAt;
             const message = `[provider] run ${input.runId} still running after ${elapsedMs}ms\n`;
             tee(stderrLog, message);
@@ -30,40 +88,30 @@ export async function spawnLoggedCommand(command, args, input, env) {
                 process.stderr.write(message);
             }
         }, 30_000);
-        child.stdout.on("data", (chunk) => {
+        spawnedChild.stdout.on("data", (chunk) => {
             tee(stdoutLog, chunk);
             if (input.uiMode === "visible") {
                 process.stdout.write(chunk);
             }
         });
-        child.stderr.on("data", (chunk) => {
+        spawnedChild.stderr.on("data", (chunk) => {
             tee(stderrLog, chunk);
             if (input.uiMode === "visible") {
                 process.stderr.write(chunk);
             }
         });
-        child.on("error", (error) => {
-            clearTimeout(timer);
-            clearInterval(heartbeat);
-            stdoutLog.end();
-            stderrLog.end();
-            reject(error);
-        });
-        child.on("exit", (code, signal) => {
-            clearTimeout(timer);
-            clearInterval(heartbeat);
-            stdoutLog.end();
-            stderrLog.end();
+        spawnedChild.on("error", fail);
+        spawnedChild.on("exit", (code, signal) => {
             if (timedOut) {
-                reject(new Error(`Fresh session timed out after ${input.timeoutMs}ms for run ${input.runId}.`));
+                settle(() => reject(new Error(`Fresh session timed out after ${input.timeoutMs}ms for run ${input.runId}.`)));
                 return;
             }
-            resolve({
+            settle(() => resolve({
                 accepted: true,
-                processId: child.pid,
+                processId: spawnedChild.pid,
                 exitCode: code,
                 signal,
-            });
+            }));
         });
     });
 }

package/dist/reporting/synthesis.d.ts

@@ -1,4 +1,5 @@
 import type { AuditResult, CoverageMatrix, Finding, UnitManifest } from "../types.js";
+import type { ExternalAnalyzerResults } from "../types/externalAnalyzer.js";
 import type { CriticalFlowManifest } from "../types/flows.js";
 import type { GraphBundle } from "../types/graph.js";
 import type { RuntimeValidationReport } from "../types/runtimeValidation.js";
@@ -23,5 +24,6 @@ export declare function buildAuditReportModel(params: {
     criticalFlows?: CriticalFlowManifest;
     coverageMatrix?: CoverageMatrix;
     runtimeValidationReport?: RuntimeValidationReport;
+    externalAnalyzerResults?: ExternalAnalyzerResults;
 }): AuditReportModel;
 export declare function renderAuditReportMarkdown(model: AuditReportModel): string;

package/dist/reporting/synthesis.js

@@ -1,18 +1,21 @@
 import { buildWorkBlocks } from "./workBlocks.js";
 import { mergeFindings } from "./mergeFindings.js";
-function severityBreakdown(findings) {
+function countBy(items, selectKey) {
     const breakdown = {};
-    for (const finding of findings) {
-        breakdown[finding.severity] = (breakdown[finding.severity] ?? 0) + 1;
+    for (const item of items) {
+        const key = selectKey(item);
+        if (!key) {
+            continue;
+        }
+        breakdown[key] = (breakdown[key] ?? 0) + 1;
     }
     return breakdown;
 }
+function severityBreakdown(findings) {
+    return countBy(findings, (finding) => finding.severity);
+}
 function runtimeStatusBreakdown(report) {
-    const breakdown = {};
-    for (const result of report?.results ?? []) {
-        breakdown[result.status] = (breakdown[result.status] ?? 0) + 1;
-    }
-    return breakdown;
+    return countBy(report?.results ?? [], (result) => result.status);
 }
 function coverageSummary(coverage) {
     const files = coverage?.files ?? [];
@@ -29,7 +32,7 @@ function formatSeverityList(summary) {
     return parts.length > 0 ? parts.join(", ") : "none";
 }
 export function buildAuditReportModel(params) {
-    const findings = mergeFindings(params.results, params.runtimeValidationReport);
+    const findings = mergeFindings(params.results, params.runtimeValidationReport, params.externalAnalyzerResults);
     const workBlocks = buildWorkBlocks({
         findings,
         unitManifest: params.unitManifest,