auditor-lambda 0.2.8 → 0.2.9

package/dist/extractors/flows.js

@@ -1,14 +1,12 @@
 import { isAuditExcludedStatus } from "./disposition.js";
-import { isSecuritySensitivePath, isDataLayerPath, isConcurrencyPath, isInterfacePath, isDeploymentConfigPath, } from "./pathPatterns.js";
+import { EXTRACTOR_HEURISTIC_NOTE, isAsyncTaskPath, isBillingPath, isIdentityPath, isSecuritySensitivePath, isDataLayerPath, isConcurrencyPath, isInterfacePath, isDeploymentConfigPath, normalizeExtractorPath, } from "./pathPatterns.js";
 function inferConcerns(paths) {
     const concerns = new Set();
     for (const path of paths) {
-        const normalized = path.toLowerCase();
+        const normalized = normalizeExtractorPath(path);
         if (isSecuritySensitivePath(normalized))
             concerns.add("security");
-        if (isDataLayerPath(normalized) ||
-            normalized.includes("invoice") ||
-            normalized.includes("payment"))
+        if (isDataLayerPath(normalized) || isBillingPath(normalized))
             concerns.add("data_integrity");
         if (isConcurrencyPath(normalized))
             concerns.add("reliability");
@@ -18,47 +16,26 @@ function inferConcerns(paths) {
     return concerns.size > 0 ? [...concerns] : ["correctness"];
 }
 function relatedPaths(entry, availablePaths) {
-    const normalized = entry.toLowerCase();
+    const normalized = normalizeExtractorPath(entry);
     const linked = new Set([entry]);
     for (const path of availablePaths) {
-        const lower = path.toLowerCase();
+        const lower = normalizeExtractorPath(path);
         if (path === entry)
             continue;
         // Auth / session flows: link sibling auth, session, token, user paths
-        if (isSecuritySensitivePath(normalized) &&
-            (lower.includes("auth") ||
-                lower.includes("session") ||
-                lower.includes("token") ||
-                lower.includes("user"))) {
+        if (isSecuritySensitivePath(normalized) && isIdentityPath(lower)) {
             linked.add(path);
         }
         // Billing / payment flows: link ledger and subscription paths
-        if ((normalized.includes("billing") ||
-            normalized.includes("invoice") ||
-            normalized.includes("payment")) &&
-            (lower.includes("billing") ||
-                lower.includes("invoice") ||
-                lower.includes("payment") ||
-                lower.includes("ledger") ||
-                lower.includes("subscription"))) {
+        if (isBillingPath(normalized) && isBillingPath(lower)) {
             linked.add(path);
         }
         // Async / queue flows: link worker, job, retry, and task paths
-        if (isConcurrencyPath(normalized) &&
-            (lower.includes("queue") ||
-                lower.includes("retry") ||
-                lower.includes("worker") ||
-                lower.includes("job") ||
-                lower.includes("task"))) {
+        if (isConcurrencyPath(normalized) && isAsyncTaskPath(lower)) {
             linked.add(path);
         }
         // Deployment / infra flows: link docker, k8s, terraform, workflow paths
-        if (isDeploymentConfigPath(normalized) &&
-            (lower.includes("deploy") ||
-                lower.includes("docker") ||
-                lower.includes("workflow") ||
-                lower.includes("k8s") ||
-                lower.includes("terraform"))) {
+        if (isDeploymentConfigPath(normalized) && isDeploymentConfigPath(lower)) {
             linked.add(path);
         }
     }
@@ -76,6 +53,11 @@ function dedupeFlows(flows) {
     }
     return deduped;
 }
+/**
+ * Builds coarse critical-flow coverage from shared path heuristics. These
+ * bootstrap flows are intentionally conservative and should be reviewed when a
+ * repo uses unconventional naming or layout conventions.
+ */
 export function buildCriticalFlowManifest(repoManifest, surfaceManifest, disposition) {
     const dispositionMap = new Map(disposition?.files.map((item) => [item.path, item.status]) ?? []);
     const availablePaths = repoManifest.files
@@ -95,14 +77,12 @@ export function buildCriticalFlowManifest(repoManifest, surfaceManifest, disposi
             paths,
             concerns: inferConcerns(paths),
             confidence: paths.length > 1 ? "high" : "low",
-            notes: [
-                "Heuristic critical-flow inference from detected surfaces and related paths.",
-            ],
+            notes: [EXTRACTOR_HEURISTIC_NOTE],
         });
     }
     for (const path of availablePaths) {
-        const lower = path.toLowerCase();
-        if (isDataLayerPath(lower) || lower.includes("seed")) {
+        const normalized = normalizeExtractorPath(path);
+        if (isDataLayerPath(normalized)) {
             flows.push({
                 id: `flow:data:${path.replace(/[^a-zA-Z0-9:_-]/g, "-")}`,
                 name: `data evolution flow for ${path}`,
@@ -110,7 +90,7 @@ export function buildCriticalFlowManifest(repoManifest, surfaceManifest, disposi
                 paths: relatedPaths(path, availablePaths),
                 concerns: ["data_integrity", "reliability"],
                 confidence: "high",
-                notes: ["Heuristic data-evolution flow."],
+                notes: [EXTRACTOR_HEURISTIC_NOTE],
             });
         }
     }

package/dist/extractors/pathPatterns.d.ts

@@ -1,8 +1,10 @@
 /**
- * Centralised path-pattern predicates shared across disposition, bucketing,
- * surfaces, and flows extractors.  Every function operates on the
- * already-lower-cased form of the path.
+ * Shared bootstrap heuristics for the extractor layer. These rules run before
+ * richer graph/unit analysis exists, so they intentionally favor recall over
+ * precision and always normalize case plus path separators first.
  */
+export declare const EXTRACTOR_HEURISTIC_NOTE = "Heuristic path classification normalizes case and path separators, then matches conservative keyword groups; confirm unusual repo layouts manually.";
+export declare function normalizeExtractorPath(path: string): string;
 export declare function isNodeModulesOrGit(normalized: string): boolean;
 export declare function isBuildOutput(normalized: string): boolean;
 export declare function isVendorPath(normalized: string): boolean;
@@ -20,3 +22,8 @@ export declare function isScriptPath(normalized: string): boolean;
 export declare function isDeploymentConfigPath(normalized: string): boolean;
 export declare function isGeneratedPath(normalized: string): boolean;
 export declare function isSurfacePath(normalized: string): boolean;
+export declare function isBackgroundSurfacePath(normalized: string): boolean;
+export declare function isNetworkSurfacePath(normalized: string): boolean;
+export declare function isBillingPath(normalized: string): boolean;
+export declare function isIdentityPath(normalized: string): boolean;
+export declare function isAsyncTaskPath(normalized: string): boolean;

package/dist/extractors/pathPatterns.js

@@ -1,100 +1,148 @@
 /**
- * Centralised path-pattern predicates shared across disposition, bucketing,
- * surfaces, and flows extractors.  Every function operates on the
- * already-lower-cased form of the path.
+ * Shared bootstrap heuristics for the extractor layer. These rules run before
+ * richer graph/unit analysis exists, so they intentionally favor recall over
+ * precision and always normalize case plus path separators first.
  */
+export const EXTRACTOR_HEURISTIC_NOTE = "Heuristic path classification normalizes case and path separators, then matches conservative keyword groups; confirm unusual repo layouts manually.";
+const BINARY_EXTENSIONS = [
+    ".png",
+    ".jpg",
+    ".jpeg",
+    ".gif",
+    ".pdf",
+    ".zip",
+];
+const LOCKFILE_NAMES = [
+    "package-lock.json",
+    "pnpm-lock.yaml",
+    "yarn.lock",
+    "cargo.lock",
+    "composer.lock",
+    "go.sum",
+];
+const TEST_KEYWORDS = ["test", "spec", "__tests__"];
+const INTERFACE_KEYWORDS = ["route", "controller", "handler"];
+const DATA_LAYER_KEYWORDS = ["model", "schema", "migration", "seed"];
+const SECURITY_KEYWORDS = [
+    "auth",
+    "secret",
+    "token",
+    "permission",
+    "session",
+];
+const CONCURRENCY_KEYWORDS = [
+    "queue",
+    "worker",
+    "job",
+    "cache",
+    "retry",
+    "lock",
+];
+const SCRIPT_KEYWORDS = ["script"];
+const DEPLOYMENT_KEYWORDS = [
+    "docker",
+    "terraform",
+    "deploy",
+    "workflow",
+    "k8s",
+];
+const SURFACE_KEYWORDS = ["route", "controller", "worker", "job", "command"];
+const BILLING_KEYWORDS = [
+    "billing",
+    "invoice",
+    "payment",
+    "ledger",
+    "subscription",
+];
+const IDENTITY_KEYWORDS = ["user"];
+const ASYNC_TASK_KEYWORDS = ["task"];
+export function normalizeExtractorPath(path) {
+    return path.replace(/\\/g, "/").toLowerCase();
+}
+function splitSegments(normalized) {
+    return normalized.split("/").filter(Boolean);
+}
+function hasSegment(normalized, segment) {
+    return splitSegments(normalized).includes(segment);
+}
+function includesAny(normalized, values) {
+    return values.some((value) => normalized.includes(value));
+}
+function endsWithAny(normalized, suffixes) {
+    return suffixes.some((suffix) => normalized.endsWith(suffix));
+}
+function baseName(normalized) {
+    const segments = splitSegments(normalized);
+    return segments.at(-1) ?? normalized;
+}
 export function isNodeModulesOrGit(normalized) {
-    const segments = normalized.split(/[/\\]/);
-    return segments.includes("node_modules") || segments.includes(".git");
+    return hasSegment(normalized, "node_modules") || hasSegment(normalized, ".git");
 }
 export function isBuildOutput(normalized) {
-    return normalized.startsWith("dist/") || normalized.startsWith("build/");
+    return hasSegment(normalized, "dist") || hasSegment(normalized, "build");
 }
 export function isVendorPath(normalized) {
     return normalized.includes("vendor") || normalized.includes("third_party");
 }
 export function isBinaryArtifact(normalized) {
-    return (normalized.endsWith(".png") ||
-        normalized.endsWith(".jpg") ||
-        normalized.endsWith(".jpeg") ||
-        normalized.endsWith(".gif") ||
-        normalized.endsWith(".pdf") ||
-        normalized.endsWith(".zip"));
+    return endsWithAny(normalized, BINARY_EXTENSIONS);
 }
 export function isLogPath(normalized) {
-    return normalized.endsWith(".log") || normalized.includes("stdout.log") || normalized.includes("stderr.log");
+    return normalized.endsWith(".log") || includesAny(normalized, ["stdout.log", "stderr.log"]);
 }
 export function isLicensePath(normalized) {
-    const base = normalized.split(/[/\\]/).pop() ?? normalized;
+    const base = baseName(normalized);
     return base === "license" || base.startsWith("license.");
 }
 export function isLockfilePath(normalized) {
-    return (normalized.endsWith("package-lock.json") ||
-        normalized.endsWith("pnpm-lock.yaml") ||
-        normalized.endsWith("yarn.lock") ||
-        normalized.endsWith("cargo.lock") ||
-        normalized.endsWith("composer.lock") ||
-        normalized.endsWith("go.sum"));
+    return endsWithAny(normalized, LOCKFILE_NAMES);
 }
 export function isDocPath(normalized) {
-    return normalized.endsWith(".md") || normalized.startsWith("docs/");
+    return normalized.endsWith(".md") || hasSegment(normalized, "docs");
 }
 export function isTestPath(normalized) {
-    return (normalized.includes("test") ||
-        normalized.includes("spec") ||
-        normalized.includes("__tests__"));
+    return includesAny(normalized, TEST_KEYWORDS);
 }
 export function isInterfacePath(normalized) {
-    return (normalized.includes("route") ||
-        normalized.includes("controller") ||
-        normalized.includes("handler") ||
-        normalized.includes("api/"));
+    return includesAny(normalized, INTERFACE_KEYWORDS) || hasSegment(normalized, "api");
 }
 export function isDataLayerPath(normalized) {
-    return (normalized.includes("model") ||
-        normalized.includes("schema") ||
-        normalized.includes("migration") ||
-        normalized.includes("seed") ||
-        normalized.includes("db/"));
+    return includesAny(normalized, DATA_LAYER_KEYWORDS) || hasSegment(normalized, "db");
 }
 export function isSecuritySensitivePath(normalized) {
-    return (normalized.includes("auth") ||
-        normalized.includes("secret") ||
-        normalized.includes("token") ||
-        normalized.includes("permission") ||
-        normalized.includes("session"));
+    return includesAny(normalized, SECURITY_KEYWORDS);
 }
 export function isConcurrencyPath(normalized) {
-    return (normalized.includes("queue") ||
-        normalized.includes("worker") ||
-        normalized.includes("job") ||
-        normalized.includes("cache") ||
-        normalized.includes("retry") ||
-        normalized.includes("lock"));
+    return includesAny(normalized, CONCURRENCY_KEYWORDS);
 }
 export function isScriptPath(normalized) {
-    return (normalized.includes("script") ||
-        normalized.startsWith("scripts/") ||
-        normalized.startsWith("bin/"));
+    return (includesAny(normalized, SCRIPT_KEYWORDS) ||
+        hasSegment(normalized, "scripts") ||
+        hasSegment(normalized, "bin"));
 }
 export function isDeploymentConfigPath(normalized) {
-    return (normalized.includes("docker") ||
-        normalized.includes("terraform") ||
-        normalized.includes("deploy") ||
-        normalized.includes("workflow") ||
-        normalized.includes("k8s") ||
-        normalized.endsWith(".yml") ||
-        normalized.endsWith(".yaml"));
+    return includesAny(normalized, DEPLOYMENT_KEYWORDS) || endsWithAny(normalized, [".yml", ".yaml"]);
 }
 export function isGeneratedPath(normalized) {
     return normalized.includes("vendor") || normalized.includes("generated");
 }
 export function isSurfacePath(normalized) {
-    return (normalized.includes("api/") ||
-        normalized.includes("route") ||
-        normalized.includes("controller") ||
-        normalized.includes("worker") ||
-        normalized.includes("job") ||
-        normalized.includes("command") ||
-        normalized.includes("cli"));
+    return (hasSegment(normalized, "api") ||
+        includesAny(normalized, SURFACE_KEYWORDS) ||
+        hasSegment(normalized, "cli"));
+}
+export function isBackgroundSurfacePath(normalized) {
+    return includesAny(normalized, ["worker", "job"]);
+}
+export function isNetworkSurfacePath(normalized) {
+    return hasSegment(normalized, "api") || includesAny(normalized, ["route", "controller"]);
+}
+export function isBillingPath(normalized) {
+    return includesAny(normalized, BILLING_KEYWORDS);
+}
+export function isIdentityPath(normalized) {
+    return isSecuritySensitivePath(normalized) || includesAny(normalized, IDENTITY_KEYWORDS);
+}
+export function isAsyncTaskPath(normalized) {
+    return isConcurrencyPath(normalized) || includesAny(normalized, ASYNC_TASK_KEYWORDS);
 }

package/dist/extractors/surfaces.d.ts

@@ -1,4 +1,8 @@
 import type { RepoManifest } from "../types.js";
 import type { FileDisposition } from "../types/disposition.js";
 import type { SurfaceManifest } from "../types/surfaces.js";
+/**
+ * Detects likely execution surfaces from file paths using the shared extractor
+ * heuristics, primarily to seed later audit planning.
+ */
 export declare function buildSurfaceManifest(repoManifest: RepoManifest, disposition?: FileDisposition): SurfaceManifest;

package/dist/extractors/surfaces.js

@@ -1,12 +1,16 @@
 import { isAuditExcludedStatus } from "./disposition.js";
-import { isSurfacePath } from "./pathPatterns.js";
+import { EXTRACTOR_HEURISTIC_NOTE, isBackgroundSurfacePath, isNetworkSurfacePath, isSurfacePath, normalizeExtractorPath, } from "./pathPatterns.js";
 function methodsForPath(path) {
-    const normalized = path.toLowerCase();
-    if (normalized.includes("api") || normalized.includes("route")) {
+    const normalized = normalizeExtractorPath(path);
+    if (isNetworkSurfacePath(normalized)) {
         return ["GET", "POST"];
     }
     return undefined;
 }
+/**
+ * Detects likely execution surfaces from file paths using the shared extractor
+ * heuristics, primarily to seed later audit planning.
+ */
 export function buildSurfaceManifest(repoManifest, disposition) {
     const surfaces = [];
     const dispositionMap = new Map(disposition?.files.map((item) => [item.path, item.status]) ?? []);
@@ -15,19 +19,15 @@ export function buildSurfaceManifest(repoManifest, disposition) {
         if (status && isAuditExcludedStatus(status)) {
             continue;
         }
-        const normalized = file.path.toLowerCase();
+        const normalized = normalizeExtractorPath(file.path);
         if (isSurfacePath(normalized)) {
             surfaces.push({
                 id: `surface:${file.path}`,
-                kind: normalized.includes("worker") || normalized.includes("job")
-                    ? "background"
-                    : "interface",
+                kind: isBackgroundSurfacePath(normalized) ? "background" : "interface",
                 entrypoint: file.path,
-                exposure: normalized.includes("api") || normalized.includes("route")
-                    ? "network"
-                    : "local",
+                exposure: isNetworkSurfacePath(normalized) ? "network" : "local",
                 methods: methodsForPath(file.path),
-                notes: ["Heuristic surface detection."],
+                notes: [EXTRACTOR_HEURISTIC_NOTE],
             });
         }
     }

package/dist/index.d.ts

@@ -1 +1 @@
-import "./cli.js";
+export {};

package/dist/index.js

@@ -1 +1,2 @@
-import "./cli.js";
+import { runCli } from "./cli.js";
+await runCli(process.argv);

package/dist/io/artifacts.d.ts

@@ -9,48 +9,62 @@ import type { GraphBundle } from "../types/graph.js";
 import type { RiskRegister } from "../types/risk.js";
 import type { RuntimeValidationReport, RuntimeValidationTaskManifest } from "../types/runtimeValidation.js";
 import type { SurfaceManifest } from "../types/surfaces.js";
-export interface ArtifactBundle {
-    repo_manifest?: RepoManifest;
-    file_disposition?: FileDisposition;
-    auto_fixes_applied?: unknown;
-    unit_manifest?: UnitManifest;
-    graph_bundle?: GraphBundle;
-    surface_manifest?: SurfaceManifest;
-    critical_flows?: CriticalFlowManifest;
-    flow_coverage?: FlowCoverageManifest;
-    risk_register?: RiskRegister;
-    coverage_matrix?: CoverageMatrix;
-    runtime_validation_tasks?: RuntimeValidationTaskManifest;
-    runtime_validation_report?: RuntimeValidationReport;
-    external_analyzer_results?: ExternalAnalyzerResults;
-    audit_results?: AuditResult[];
-    audit_tasks?: AuditTask[];
-    requeue_tasks?: AuditTask[];
-    audit_report?: string;
-    audit_state?: AuditState;
-    artifact_metadata?: ArtifactMetadataManifest;
+type ArtifactPayloadMap = {
+    repo_manifest: RepoManifest;
+    file_disposition: FileDisposition;
+    auto_fixes_applied: unknown;
+    unit_manifest: UnitManifest;
+    graph_bundle: GraphBundle;
+    surface_manifest: SurfaceManifest;
+    critical_flows: CriticalFlowManifest;
+    flow_coverage: FlowCoverageManifest;
+    risk_register: RiskRegister;
+    coverage_matrix: CoverageMatrix;
+    runtime_validation_tasks: RuntimeValidationTaskManifest;
+    runtime_validation_report: RuntimeValidationReport;
+    external_analyzer_results: ExternalAnalyzerResults;
+    audit_results: AuditResult[];
+    audit_tasks: AuditTask[];
+    requeue_tasks: AuditTask[];
+    audit_report: string;
+    audit_state: AuditState;
+    artifact_metadata: ArtifactMetadataManifest;
+};
+/**
+ * Audit artifacts accumulate phase-by-phase as the orchestrator advances.
+ * Missing keys mean the corresponding artifact has not been produced yet.
+ */
+export type ArtifactBundle = Partial<ArtifactPayloadMap>;
+export type ArtifactBundleKey = keyof ArtifactPayloadMap;
+type ArtifactPhase = "intake" | "analysis" | "execution" | "reporting" | "supervisor";
+interface ArtifactDefinition<K extends ArtifactBundleKey = ArtifactBundleKey> {
+    fileName: string;
+    phase: ArtifactPhase;
+    read: (path: string) => Promise<ArtifactPayloadMap[K] | undefined>;
+    write: (path: string, value: ArtifactPayloadMap[K]) => Promise<void>;
 }
-export declare const ARTIFACT_FILE_TO_BUNDLE_KEY: {
-    readonly "repo_manifest.json": "repo_manifest";
-    readonly "file_disposition.json": "file_disposition";
-    readonly "auto_fixes_applied.json": "auto_fixes_applied";
-    readonly "unit_manifest.json": "unit_manifest";
-    readonly "graph_bundle.json": "graph_bundle";
-    readonly "surface_manifest.json": "surface_manifest";
-    readonly "critical_flows.json": "critical_flows";
-    readonly "flow_coverage.json": "flow_coverage";
-    readonly "risk_register.json": "risk_register";
-    readonly "coverage_matrix.json": "coverage_matrix";
-    readonly "runtime_validation_tasks.json": "runtime_validation_tasks";
-    readonly "runtime_validation_report.json": "runtime_validation_report";
-    readonly "external_analyzer_results.json": "external_analyzer_results";
-    readonly "audit_results.jsonl": "audit_results";
-    readonly "audit_tasks.json": "audit_tasks";
-    readonly "requeue_tasks.json": "requeue_tasks";
-    readonly "audit-report.md": "audit_report";
-    readonly "audit_state.json": "audit_state";
-    readonly "artifact_metadata.json": "artifact_metadata";
+export declare const ARTIFACT_DEFINITIONS: {
+    readonly repo_manifest: ArtifactDefinition<"repo_manifest">;
+    readonly file_disposition: ArtifactDefinition<"file_disposition">;
+    readonly auto_fixes_applied: ArtifactDefinition<"auto_fixes_applied">;
+    readonly unit_manifest: ArtifactDefinition<"unit_manifest">;
+    readonly graph_bundle: ArtifactDefinition<"graph_bundle">;
+    readonly surface_manifest: ArtifactDefinition<"surface_manifest">;
+    readonly critical_flows: ArtifactDefinition<"critical_flows">;
+    readonly flow_coverage: ArtifactDefinition<"flow_coverage">;
+    readonly risk_register: ArtifactDefinition<"risk_register">;
+    readonly coverage_matrix: ArtifactDefinition<"coverage_matrix">;
+    readonly runtime_validation_tasks: ArtifactDefinition<"runtime_validation_tasks">;
+    readonly runtime_validation_report: ArtifactDefinition<"runtime_validation_report">;
+    readonly external_analyzer_results: ArtifactDefinition<"external_analyzer_results">;
+    readonly audit_results: ArtifactDefinition<"audit_results">;
+    readonly audit_tasks: ArtifactDefinition<"audit_tasks">;
+    readonly requeue_tasks: ArtifactDefinition<"requeue_tasks">;
+    readonly audit_report: ArtifactDefinition<"audit_report">;
+    readonly audit_state: ArtifactDefinition<"audit_state">;
+    readonly artifact_metadata: ArtifactDefinition<"artifact_metadata">;
 };
+export declare const ARTIFACT_FILE_TO_BUNDLE_KEY: Record<string, ArtifactBundleKey>;
 export declare function getArtifactValue(bundle: ArtifactBundle, artifactName: string): unknown;
 export declare function loadArtifactBundle(root: string): Promise<ArtifactBundle>;
 export declare function writeCoreArtifacts(root: string, bundle: ArtifactBundle): Promise<void>;
@@ -59,3 +73,4 @@ export declare function promoteFinalAuditReport(params: {
     artifactsDir: string;
     repoRoot: string;
 }): Promise<void>;
+export {};