auditor-lambda 0.2.9 → 0.2.11

package/README.md

@@ -183,6 +183,8 @@ The short version is:
 ```bash
 npm install
 npm run verify:release
+npm run release:patch
+npm run release:patch:publish
 ```
 
 For GitHub Actions publication and npm Trusted Publishing setup, see `docs/releasing.md`.

package/audit-code-wrapper-lib.mjs

@@ -141,9 +141,13 @@ async function newestMtimeMs(path) {
   return newest;
 }
 
-async function shouldBuildDist() {
-  if (!(await fileExists(distEntry))) {
-    if (!(await fileExists(sourceRoot)) || !(await fileExists(tsconfigPath))) {
+export async function shouldBuildDistForPaths({
+  distEntryPath,
+  sourceRootPath,
+  tsconfigPath: tsconfigPathValue,
+}) {
+  if (!(await fileExists(distEntryPath))) {
+    if (!(await fileExists(sourceRootPath)) || !(await fileExists(tsconfigPathValue))) {
       throw new Error(
         'Bundled dist is missing and source files are unavailable for rebuild.',
       );
@@ -151,18 +155,25 @@ async function shouldBuildDist() {
     return true;
   }
 
-  if (!(await fileExists(sourceRoot)) || !(await fileExists(tsconfigPath))) {
+  if (!(await fileExists(sourceRootPath)) || !(await fileExists(tsconfigPathValue))) {
     return false;
   }
 
-  const distMtime = (await stat(distEntry)).mtimeMs;
-  const sourceMtime = await newestMtimeMs(sourceRoot);
-  const tsconfigMtime = (await stat(tsconfigPath)).mtimeMs;
-  const packageJsonMtime = (await stat(packageJsonPath)).mtimeMs;
-  const newestInput = Math.max(sourceMtime, tsconfigMtime, packageJsonMtime);
+  const distMtime = (await stat(distEntryPath)).mtimeMs;
+  const sourceMtime = await newestMtimeMs(sourceRootPath);
+  const tsconfigMtime = (await stat(tsconfigPathValue)).mtimeMs;
+  const newestInput = Math.max(sourceMtime, tsconfigMtime);
   return distMtime < newestInput;
 }
 
+async function shouldBuildDist() {
+  return await shouldBuildDistForPaths({
+    distEntryPath: distEntry,
+    sourceRootPath: sourceRoot,
+    tsconfigPath,
+  });
+}
+
 async function releaseBuildLock(handle) {
   try {
     await handle?.close();

package/dist/cli.js

@@ -169,9 +169,12 @@ async function emitEnvelope(params) {
 }
 function buildManualReviewBlocker(providerName) {
     return providerName === LOCAL_SUBPROCESS_PROVIDER_NAME
-        ? "Automatic backend steps are exhausted. Remaining semantic review now belongs to the active conversation agent. Review the dispatched files, write structured audit results, and run the generated worker command to ingest them. If you intentionally want a backend bridge instead, re-run audit-code with --provider auto, --provider claude-code, --provider opencode, --provider subprocess-template, or --provider vscode-task."
+        ? "Automatic backend steps are exhausted. Remaining semantic review now belongs to the active conversation agent. Review the dispatched files, write structured audit results, and ingest them with audit-code --results <file> or audit-code --batch-results <dir>. If you intentionally want a backend bridge instead, re-run audit-code with --provider auto, --provider claude-code, --provider opencode, --provider subprocess-template, or --provider vscode-task."
         : "Automatic work is exhausted. Remaining audit tasks require explicit audit results or an interactive provider.";
 }
+function shouldRunInlineExecutor(selectedExecutor) {
+    return selectedExecutor !== null && selectedExecutor !== "agent";
+}
 function buildBlockedAuditState(params) {
     return {
         ...params.state,
@@ -896,6 +899,124 @@ async function cmdRunToCompletion(argv) {
         runCount += 1;
         const runId = buildRunId(obligationId, runCount);
         const paths = getRunPaths(artifactsDir, runId);
+        if (shouldRunInlineExecutor(preferredExecutor)) {
+            await clearDispatchFiles(artifactsDir);
+            const startedAt = new Date().toISOString();
+            let workerResult;
+            try {
+                const result = await runAuditStep({
+                    root,
+                    artifactsDir,
+                    preferredExecutor,
+                    auditResultsPath,
+                    runtimeUpdatesPath,
+                    externalAnalyzerPath,
+                });
+                workerResult = {
+                    contract_version: WORKER_RESULT_CONTRACT_VERSION,
+                    run_id: runId,
+                    obligation_id: obligationId,
+                    status: result.progress_made ? "completed" : "no_progress",
+                    progress_made: result.progress_made,
+                    selected_executor: result.selected_executor,
+                    artifacts_written: result.artifacts_written,
+                    summary: result.progress_summary,
+                    next_likely_step: result.next_likely_step,
+                    errors: [],
+                };
+            }
+            catch (error) {
+                const message = error instanceof Error ? error.message : String(error);
+                workerResult = {
+                    contract_version: WORKER_RESULT_CONTRACT_VERSION,
+                    run_id: runId,
+                    obligation_id: obligationId,
+                    status: "failed",
+                    progress_made: false,
+                    selected_executor: preferredExecutor,
+                    artifacts_written: [],
+                    summary: `Inline executor failed for ${preferredExecutor}: ${message}`,
+                    next_likely_step: decision.selected_obligation,
+                    errors: [message],
+                };
+            }
+            await writeJsonFile(paths.resultPath, workerResult);
+            await writeJsonFile(paths.statusPath, {
+                run_id: runId,
+                status: workerResult.status,
+                execution_mode: "inline",
+            });
+            await appendRunLedgerEntry(artifactsDir, {
+                run_id: runId,
+                provider: provider.name,
+                obligation_id: obligationId,
+                selected_executor: workerResult.selected_executor,
+                status: workerResult.status,
+                started_at: startedAt,
+                ended_at: new Date().toISOString(),
+                result_path: paths.resultPath,
+            });
+            lastResult = workerResult;
+            if (workerResult.progress_made) {
+                anyProgress = true;
+            }
+            for (const artifact of workerResult.artifacts_written) {
+                artifactsWritten.add(artifact);
+            }
+            artifactsWritten.add("run-ledger.json");
+            if (externalAnalyzerPath)
+                pendingExternalAnalyzerPath = undefined;
+            if (auditResultsPath &&
+                pendingBatchAuditResults[0] === auditResultsPath &&
+                preferredExecutor === "result_ingestion_executor" &&
+                workerResult.status !== "failed" &&
+                workerResult.status !== "blocked") {
+                pendingBatchAuditResults.shift();
+            }
+            if (auditResultsPath)
+                pendingAuditResultsPath = undefined;
+            if (runtimeUpdatesPath)
+                pendingRuntimeUpdatesPath = undefined;
+            if (workerResult.status === "failed" ||
+                workerResult.status === "blocked" ||
+                workerResult.status === "no_progress") {
+                const bundleAfter = await loadArtifactBundle(artifactsDir);
+                const shouldBlock = workerResult.status === "failed" || workerResult.status === "blocked";
+                const state = shouldBlock
+                    ? buildBlockedAuditState({
+                        state: bundleAfter.audit_state ?? deriveAuditState(bundleAfter),
+                        obligationId: workerResult.obligation_id,
+                        executor: workerResult.selected_executor,
+                        blocker: buildWorkerFailureBlocker(workerResult),
+                    })
+                    : bundleAfter.audit_state ?? deriveAuditState(bundleAfter);
+                if (shouldBlock) {
+                    await writeCoreArtifacts(artifactsDir, {
+                        ...bundleAfter,
+                        audit_state: state,
+                    });
+                }
+                await emitEnvelope({
+                    root,
+                    artifactsDir,
+                    bundle: shouldBlock
+                        ? { ...bundleAfter, audit_state: state }
+                        : bundleAfter,
+                    audit_state: state,
+                    selected_obligation: workerResult.obligation_id,
+                    selected_executor: workerResult.selected_executor,
+                    progress_made: anyProgress,
+                    artifacts_written: Array.from(shouldBlock
+                        ? new Set([...artifactsWritten, "audit_state.json"])
+                        : artifactsWritten),
+                    progress_summary: buildWorkerFailureBlocker(workerResult),
+                    next_likely_step: shouldBlock ? null : workerResult.next_likely_step,
+                    providerName: provider.name,
+                });
+                return;
+            }
+            continue;
+        }
         const pendingAuditTasks = preferredExecutor === "agent"
             ? buildPendingAuditTasks(bundle).slice(0, agentBatchSize)
             : undefined;

package/dist/orchestrator/autoFixExecutor.js

@@ -1,13 +1,9 @@
-import { execSync } from "node:child_process";
+import { join } from "node:path";
 import { isAuditExcludedStatus } from "../extractors/disposition.js";
-function tryRunConfiguredFormatter(root, command) {
-    try {
-        execSync(command, { cwd: root, stdio: "ignore", windowsHide: true });
-        return true;
-    }
-    catch (e) {
-        return false;
-    }
+import { resolveNodeTool, runFirstAvailableCommand, } from "./localCommands.js";
+function tryRunConfiguredFormatter(root, candidates) {
+    const result = runFirstAvailableCommand(root, candidates);
+    return result !== null && !result.error && result.exitCode === 0;
 }
 export function runAutoFixExecutor(bundle, root) {
     if (!bundle.file_disposition) {
@@ -28,24 +24,45 @@ export function runAutoFixExecutor(bundle, root) {
         extensions.has("js") ||
         extensions.has("tsx") ||
         extensions.has("jsx")) {
-        if (tryRunConfiguredFormatter(root, "npx prettier --write ."))
+        if (tryRunConfiguredFormatter(root, [
+            ...resolveNodeTool(root, join("node_modules", "prettier", "bin", "prettier.cjs"), ["--write", "."], "prettier --write ."),
+            { command: "prettier", args: ["--write", "."], display: "prettier --write ." },
+        ]))
             executedTools.push("prettier");
-        if (tryRunConfiguredFormatter(root, "npx eslint --fix ."))
+        if (tryRunConfiguredFormatter(root, [
+            ...resolveNodeTool(root, join("node_modules", "eslint", "bin", "eslint.js"), ["--fix", "."], "eslint --fix ."),
+            { command: "eslint", args: ["--fix", "."], display: "eslint --fix ." },
+        ]))
             executedTools.push("eslint");
     }
     // Python
     if (extensions.has("py")) {
-        if (tryRunConfiguredFormatter(root, "black .") ||
-            tryRunConfiguredFormatter(root, "python -m black .")) {
+        if (tryRunConfiguredFormatter(root, [
+            { command: "black", args: ["."], display: "black ." },
+            { command: "python", args: ["-m", "black", "."], display: "python -m black ." },
+        ])) {
             executedTools.push("black");
         }
-        if (tryRunConfiguredFormatter(root, "autopep8 --in-place --recursive .")) {
+        if (tryRunConfiguredFormatter(root, [
+            {
+                command: "autopep8",
+                args: ["--in-place", "--recursive", "."],
+                display: "autopep8 --in-place --recursive .",
+            },
+            {
+                command: "python",
+                args: ["-m", "autopep8", "--in-place", "--recursive", "."],
+                display: "python -m autopep8 --in-place --recursive .",
+            },
+        ])) {
             executedTools.push("autopep8");
         }
     }
     // Go
     if (extensions.has("go")) {
-        if (tryRunConfiguredFormatter(root, "gofmt -w ."))
+        if (tryRunConfiguredFormatter(root, [
+            { command: "gofmt", args: ["-w", "."], display: "gofmt -w ." },
+        ]))
             executedTools.push("gofmt");
     }
     const resultsArtifact = {

package/dist/orchestrator/localCommands.d.ts

@@ -0,0 +1,14 @@
+export interface LocalCommandCandidate {
+    command: string;
+    args: string[];
+    display?: string;
+}
+export interface LocalCommandResult {
+    candidate: LocalCommandCandidate;
+    exitCode: number | null;
+    stdout: string;
+    stderr: string;
+    error?: Error;
+}
+export declare function runFirstAvailableCommand(root: string, candidates: LocalCommandCandidate[]): LocalCommandResult | null;
+export declare function resolveNodeTool(root: string, relativePath: string, args: string[], display: string): LocalCommandCandidate[];

package/dist/orchestrator/localCommands.js

@@ -0,0 +1,124 @@
+import { existsSync } from "node:fs";
+import { spawnSync } from "node:child_process";
+import { delimiter, isAbsolute, join } from "node:path";
+function isWindowsBatchCommand(path) {
+    return process.platform === "win32" && /\.(cmd|bat)$/i.test(path);
+}
+function quoteForCmd(arg) {
+    if (arg.length === 0)
+        return '""';
+    if (!/[\s"]/u.test(arg))
+        return arg;
+    return `"${arg.replace(/"/g, '""')}"`;
+}
+function toSpawnTuple(candidate) {
+    if (!isWindowsBatchCommand(candidate.command)) {
+        return {
+            command: candidate.command,
+            args: candidate.args,
+        };
+    }
+    return {
+        command: process.env.ComSpec ?? "cmd.exe",
+        args: [
+            "/d",
+            "/s",
+            "/c",
+            [candidate.command, ...candidate.args].map(quoteForCmd).join(" "),
+        ],
+    };
+}
+function resolveFromPath(command) {
+    if (command.trim().length === 0) {
+        return null;
+    }
+    if (command.includes("\\") ||
+        command.includes("/") ||
+        isAbsolute(command)) {
+        return existsSync(command) ? command : null;
+    }
+    const pathValue = process.env.PATH ?? "";
+    const pathEntries = pathValue
+        .split(delimiter)
+        .map((entry) => entry.trim())
+        .filter((entry) => entry.length > 0);
+    const extensions = process.platform === "win32"
+        ? (process.env.PATHEXT ?? ".COM;.EXE;.BAT;.CMD")
+            .split(";")
+            .map((ext) => ext.toLowerCase())
+        : [""];
+    for (const dir of pathEntries) {
+        const directPath = join(dir, command);
+        if (existsSync(directPath)) {
+            return directPath;
+        }
+        for (const ext of extensions) {
+            const candidatePath = join(dir, `${command}${ext}`);
+            if (existsSync(candidatePath)) {
+                return candidatePath;
+            }
+        }
+    }
+    return null;
+}
+function resolveCandidate(root, candidate) {
+    if (candidate.command === process.execPath) {
+        return candidate;
+    }
+    const resolvedPath = resolveFromPath(candidate.command);
+    if (resolvedPath) {
+        return {
+            ...candidate,
+            command: resolvedPath,
+        };
+    }
+    const repoLocalPath = join(root, candidate.command);
+    if (existsSync(repoLocalPath)) {
+        return {
+            ...candidate,
+            command: repoLocalPath,
+        };
+    }
+    return null;
+}
+export function runFirstAvailableCommand(root, candidates) {
+    for (const candidate of candidates) {
+        const resolved = resolveCandidate(root, candidate);
+        if (!resolved) {
+            continue;
+        }
+        const spawnTarget = toSpawnTuple(resolved);
+        const result = spawnSync(spawnTarget.command, spawnTarget.args, {
+            cwd: root,
+            env: process.env,
+            encoding: "utf8",
+            windowsHide: true,
+            stdio: "pipe",
+        });
+        return {
+            candidate: {
+                ...resolved,
+                display: candidate.display ?? [candidate.command, ...candidate.args].join(" "),
+            },
+            exitCode: result.status,
+            stdout: result.stdout ?? "",
+            stderr: result.stderr ?? "",
+            error: result.error
+                ? new Error(result.error.message, { cause: result.error })
+                : undefined,
+        };
+    }
+    return null;
+}
+export function resolveNodeTool(root, relativePath, args, display) {
+    const localToolPath = join(root, relativePath);
+    const candidates = [];
+    if (existsSync(localToolPath)) {
+        candidates.push({
+            command: process.execPath,
+            args: [localToolPath, ...args],
+            display,
+        });
+    }
+    return candidates;
+}

package/dist/orchestrator/syntaxResolutionExecutor.js

@@ -1,74 +1,75 @@
-import { execSync } from "node:child_process";
+import { join } from "node:path";
+import { resolveNodeTool, runFirstAvailableCommand } from "./localCommands.js";
 function runTsc(root) {
     const results = [];
-    try {
-        execSync("npx tsc --noEmit", {
-            cwd: root,
-            stdio: "pipe",
-            windowsHide: true,
-        });
+    const command = runFirstAvailableCommand(root, [
+        ...resolveNodeTool(root, join("node_modules", "typescript", "bin", "tsc"), ["--noEmit"], "tsc --noEmit"),
+        { command: "tsc", args: ["--noEmit"], display: "tsc --noEmit" },
+    ]);
+    if (!command || command.error) {
+        return results;
     }
-    catch (error) {
-        if (error.stdout) {
-            const output = error.stdout.toString();
-            const lines = output.split("\n");
-            for (const line of lines) {
-                const match = line.match(/^([^:]+)\((\d+),\d+\):\s+(error\s+TS\d+:.*)$/);
-                if (match) {
-                    results.push({
-                        id: `tsc-${results.length}`,
-                        category: "correctness",
-                        severity: "error",
-                        path: match[1].replace(/\\/g, "/"),
-                        line_start: parseInt(match[2], 10),
-                        summary: match[3],
-                        rule: "tsc",
-                    });
-                }
-            }
-        }
-        else {
-            process.stderr.write(`[syntax-resolution] tsc exited with no stdout; stderr: ${(error.stderr?.toString() ?? "").slice(0, 200)}\n`);
+    const output = [command.stdout, command.stderr].filter(Boolean).join("\n");
+    const lines = output.split("\n");
+    for (const line of lines) {
+        const match = line.match(/^([^:]+)\((\d+),\d+\):\s+(error\s+TS\d+:.*)$/);
+        if (match) {
+            results.push({
+                id: `tsc-${results.length}`,
+                category: "correctness",
+                severity: "error",
+                path: match[1].replace(/\\/g, "/"),
+                line_start: parseInt(match[2], 10),
+                summary: match[3],
+                rule: "tsc",
+            });
         }
     }
+    if (command.exitCode === 0 && output.trim().length === 0) {
+        return results;
+    }
+    if (results.length === 0 && output.trim().length > 0) {
+        process.stderr.write(`[syntax-resolution] tsc output could not be parsed: ${output.slice(0, 200)}\n`);
+    }
     return results;
 }
 function runEslint(root) {
     const results = [];
-    try {
-        execSync("npx eslint . --ext .ts,.js,.tsx,.jsx --format json", {
-            cwd: root,
-            stdio: "pipe",
-            windowsHide: true,
-        });
+    const command = runFirstAvailableCommand(root, [
+        ...resolveNodeTool(root, join("node_modules", "eslint", "bin", "eslint.js"), [".", "--ext", ".ts,.js,.tsx,.jsx", "--format", "json"], "eslint . --ext .ts,.js,.tsx,.jsx --format json"),
+        {
+            command: "eslint",
+            args: [".", "--ext", ".ts,.js,.tsx,.jsx", "--format", "json"],
+            display: "eslint . --ext .ts,.js,.tsx,.jsx --format json",
+        },
+    ]);
+    if (!command || command.error) {
+        return results;
     }
-    catch (error) {
-        if (error.stdout) {
-            try {
-                const output = JSON.parse(error.stdout.toString());
-                for (const fileResult of output) {
-                    for (const msg of fileResult.messages) {
-                        results.push({
-                            id: `eslint-${results.length}`,
-                            category: "maintainability",
-                            severity: msg.severity === 2 ? "error" : "warning",
-                            path: fileResult.filePath
-                                .replace(/\\/g, "/")
-                                .replace(root.replace(/\\/g, "/") + "/", ""),
-                            line_start: msg.line,
-                            summary: msg.message,
-                            rule: msg.ruleId || "eslint-error",
-                        });
-                    }
-                }
-            }
-            catch (e) {
-                process.stderr.write(`[syntax-resolution] eslint output could not be parsed: ${(error.stdout?.toString() ?? "").slice(0, 200)}\n`);
+    const output = [command.stdout, command.stderr].filter(Boolean).join("\n").trim();
+    if (output.length === 0) {
+        return results;
+    }
+    try {
+        const parsed = JSON.parse(output);
+        for (const fileResult of parsed) {
+            for (const msg of fileResult.messages) {
+                results.push({
+                    id: `eslint-${results.length}`,
+                    category: "maintainability",
+                    severity: msg.severity === 2 ? "error" : "warning",
+                    path: fileResult.filePath
+                        .replace(/\\/g, "/")
+                        .replace(root.replace(/\\/g, "/") + "/", ""),
+                    line_start: msg.line,
+                    summary: msg.message,
+                    rule: msg.ruleId || "eslint-error",
+                });
             }
         }
-        else {
-            process.stderr.write(`[syntax-resolution] eslint exited with no stdout; stderr: ${(error.stderr?.toString() ?? "").slice(0, 200)}\n`);
-        }
+    }
+    catch {
+        process.stderr.write(`[syntax-resolution] eslint output could not be parsed: ${output.slice(0, 200)}\n`);
     }
     return results;
 }

package/dist/supervisor/operatorHandoff.d.ts

@@ -1,7 +1,7 @@
 import type { ArtifactBundle } from "../io/artifacts.js";
 import type { AuditState, AuditTopLevelStatus } from "../types/auditState.js";
 export interface AuditCodeHandoffInput {
-    flag: "--results" | "--updates" | "--external-analyzer-results";
+    flag: "--results" | "--batch-results" | "--updates" | "--external-analyzer-results";
     suggested_path: string;
     description: string;
 }

package/dist/supervisor/operatorHandoff.js

@@ -66,6 +66,11 @@ function buildSuggestedInputs(artifactsDir, status, isConfigError) {
             suggested_path: join(incomingDir, "audit-results.json"),
             description: "Import structured audit-review results after manual or provider-assisted review finishes.",
         },
+        {
+            flag: "--batch-results",
+            suggested_path: join(incomingDir, "audit-results-batch"),
+            description: "Import a directory of per-batch audit result files when the conversation agent reviews multiple tasks before ingestion.",
+        },
         {
             flag: "--updates",
             suggested_path: join(incomingDir, "runtime-validation-updates.json"),
@@ -176,6 +181,9 @@ export function buildAuditCodeHandoff(params) {
 export async function writeAuditCodeHandoffArtifacts(handoff) {
     try {
         await mkdir(handoff.artifact_paths.incoming_dir, { recursive: true });
+        await mkdir(join(handoff.artifact_paths.incoming_dir, "audit-results-batch"), {
+            recursive: true,
+        });
         await writeJsonFile(handoff.artifact_paths.operator_handoff_json, handoff);
         await writeFile(handoff.artifact_paths.operator_handoff_markdown, renderMarkdown(handoff), "utf8");
     }

package/docs/agent-integrations.md

@@ -172,9 +172,9 @@ Use it when the current host cannot keep review inside the active conversation,
 
 Use when you want the supervisor to stay entirely local.
 
-This requires no external agent CLI. The supervisor launches fresh worker subprocesses that call the bounded `worker-run` entrypoint for deterministic stages.
+This requires no external agent CLI. Deterministic executors run in-process during normal wrapper runs, and the supervisor only stops once the remaining work is genuinely semantic review.
 
-When the remaining work is genuinely audit-task review, `local-subprocess` stops in a terminal blocked handoff instead of pretending more automatic progress is available.
+When that review boundary is reached, `local-subprocess` stops in a terminal blocked handoff instead of pretending more automatic progress is available. Use `--results <file>` for a single batch or `--batch-results <dir>` when the active conversation agent reviewed multiple task batches before ingestion.
 
 This is the safest default backend when the repository is already available locally.
 

package/docs/releasing.md

@@ -41,6 +41,53 @@ npm publish --dry-run
 
 The local dry run is still valuable even though the real publish happens in GitHub Actions. It proves the packed artifact, lifecycle hooks, and publish metadata before you spend a release on a broken workflow run.
 
+## Version bump helpers
+
+You do not need to look up the current version before cutting a release bump.
+
+From the repository root:
+
+```bash
+npm run release:patch
+```
+
+That delegates the increment to `npm version patch`, updates `package.json` and `package-lock.json`, and creates the matching release commit and git tag in the existing repository format:
+
+Under the hood, the helper uses `npm version patch --no-git-tag-version` and then creates the release commit and annotated git tag explicitly so the workflow stays compatible with current npm CLI behavior.
+
+- commit: `release: vX.Y.Z`
+- tag: `vX.Y.Z`
+
+The repository also exposes:
+
+- `npm run release:minor`
+- `npm run release:major`
+
+After the version bump, push `main` and the new tag, then publish through the GitHub Actions trusted publishing flow.
+
+## One-command release publish
+
+When you want the repository to do the full maintainer flow in one command, use:
+
+```bash
+npm run release:patch:publish
+```
+
+That command:
+
+1. verifies the git worktree is clean and you are on `main`
+2. runs `npm run verify:release`
+3. bumps the version, commits `package.json` and `package-lock.json`, and creates the annotated release tag
+4. pushes `main` and the new release tag
+5. creates the matching GitHub Release
+6. waits for `publish-package.yml` to publish through Trusted Publishing
+7. confirms the new npm version resolves from the registry before exiting
+
+Minor and major variants are also available:
+
+- `npm run release:minor:publish`
+- `npm run release:major:publish`
+
 ## Supported Node lines
 
 Routine CI currently exercises the repository on Node `20` and Node `22`.

package/docs/session-config.md

@@ -112,7 +112,9 @@ This keeps the current default stable while still allowing best-effort cross-edi
 
 No extra config is required.
 
-This mode covers deterministic worker runs locally and stops in a terminal blocked state once the remaining work requires imported audit results or an interactive provider.
+This mode covers deterministic audit execution locally and stops in a terminal blocked state once the remaining work requires imported audit results or an interactive provider.
+
+When the active conversation agent reviews multiple task batches before ingestion, prefer `audit-code --batch-results <dir>` over ad hoc artifact edits.
 
 This remains the safest fallback default while the semantic-review workflow is being realigned.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auditor-lambda",
-  "version": "0.2.9",
+  "version": "0.2.11",
   "private": false,
   "description": "Portable hybrid code-auditing framework for arbitrary repositories.",
   "type": "module",
@@ -22,6 +22,12 @@
     "build": "tsc -p tsconfig.json",
     "check": "tsc -p tsconfig.json --noEmit",
     "test": "npm run build && node --test tests/*.test.mjs",
+    "release:patch": "node scripts/release-and-publish.mjs patch --bump-only",
+    "release:minor": "node scripts/release-and-publish.mjs minor --bump-only",
+    "release:major": "node scripts/release-and-publish.mjs major --bump-only",
+    "release:patch:publish": "node scripts/release-and-publish.mjs patch",
+    "release:minor:publish": "node scripts/release-and-publish.mjs minor",
+    "release:major:publish": "node scripts/release-and-publish.mjs major",
     "verify:release": "npm run check && npm test && npm run smoke:linked-audit-code && npm run smoke:packaged-audit-code",
     "smoke:linked-audit-code": "node scripts/smoke-linked-audit-code.mjs",
     "smoke:packaged-audit-code": "node scripts/smoke-packaged-audit-code.mjs",

package/schemas/audit-code-v1alpha1.schema.json

@@ -131,6 +131,7 @@
                 "type": "string",
                 "enum": [
                   "--results",
+                  "--batch-results",
                   "--updates",
                   "--external-analyzer-results"
                 ]