auditor-lambda 0.3.1 → 0.3.2

package/dispatch/merge-results.mjs

@@ -1,40 +1,34 @@
-import { dirname, resolve, join } from "node:path";
-import { fileURLToPath } from "node:url";
+import { resolve, join } from "node:path";
 import { readFileSync, writeFileSync, readdirSync, existsSync } from "node:fs";
 import { validateResult } from "./validate.mjs";
 
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = dirname(__filename);
-
-// Parse --run-id
 const runIdIdx = process.argv.indexOf("--run-id");
 if (runIdIdx === -1 || !process.argv[runIdIdx + 1]) {
   console.error("Usage: node dispatch/merge-results.mjs --run-id <run_id> [--artifacts-dir <dir>]");
   process.exit(1);
 }
-const run_id = process.argv[runIdIdx + 1];
+const runId = process.argv[runIdIdx + 1];
 
-// Parse --artifacts-dir (default: CWD/.audit-artifacts)
 const artifactsDirIdx = process.argv.indexOf("--artifacts-dir");
 const artifactsDir = artifactsDirIdx !== -1 && process.argv[artifactsDirIdx + 1]
   ? resolve(process.argv[artifactsDirIdx + 1])
   : join(process.cwd(), ".audit-artifacts");
 
-const taskResultsDir = join(artifactsDir, "runs", run_id, "task-results");
-const auditResultsPath = join(artifactsDir, "runs", run_id, "audit-results.json");
-const failedTasksPath = join(artifactsDir, "runs", run_id, "failed-tasks.json");
-const tasksPath = join(artifactsDir, "runs", run_id, "pending-audit-tasks.json");
+const taskResultsDir = join(artifactsDir, "runs", runId, "task-results");
+const auditResultsPath = join(artifactsDir, "runs", runId, "audit-results.json");
+const failedTasksPath = join(artifactsDir, "runs", runId, "failed-tasks.json");
+const tasksPath = join(artifactsDir, "runs", runId, "pending-audit-tasks.json");
 
-// Build fileLineCounts map
-const lineCounts = {};
+// Build task map for validation context
+const taskMap = {};
 if (existsSync(tasksPath)) {
   try {
     const tasks = JSON.parse(readFileSync(tasksPath, "utf8"));
     for (const task of tasks) {
-      lineCounts[task.task_id] = task.file_line_counts;
+      taskMap[task.task_id] = task;
     }
   } catch {
-    // proceed with empty map
+    // proceed without task context
   }
 }
 
@@ -59,8 +53,8 @@ for (const filename of files) {
   }
 
   const taskId = resultObj?.task_id;
-  const fileLineCounts = (taskId && lineCounts[taskId]) ? lineCounts[taskId] : {};
-  const { valid, errors } = validateResult(resultObj, fileLineCounts);
+  const task = (taskId && taskMap[taskId]) ? taskMap[taskId] : null;
+  const { valid, errors } = validateResult(resultObj, task);
 
   if (valid) {
     passing.push(resultObj);

package/dispatch/validate-result.mjs

@@ -1,38 +1,25 @@
-import { dirname, resolve, join } from "node:path";
-import { fileURLToPath } from "node:url";
+import { resolve, join } from "node:path";
 import { readFileSync, existsSync } from "node:fs";
 import { validateResult } from "./validate.mjs";
 
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = dirname(__filename);
-
-// Support both named flags and legacy positional args:
-//   Named:    --run-id <id> --task-id <id> [--artifacts-dir <dir>]
-//   Positional (legacy): <run_id> <task_id>
-const runIdFlagIdx = process.argv.indexOf("--run-id");
-const taskIdFlagIdx = process.argv.indexOf("--task-id");
+const runIdIdx = process.argv.indexOf("--run-id");
+const taskIdIdx = process.argv.indexOf("--task-id");
 const artifactsDirIdx = process.argv.indexOf("--artifacts-dir");
 
-const run_id = runIdFlagIdx !== -1
-  ? process.argv[runIdFlagIdx + 1]
-  : process.argv[2];
-
-const task_id = taskIdFlagIdx !== -1
-  ? process.argv[taskIdFlagIdx + 1]
-  : process.argv[3];
+const runId = runIdIdx !== -1 ? process.argv[runIdIdx + 1] : undefined;
+const taskId = taskIdIdx !== -1 ? process.argv[taskIdIdx + 1] : undefined;
 
-if (!run_id || !task_id) {
+if (!runId || !taskId) {
   console.error("Usage: node dispatch/validate-result.mjs --run-id <run_id> --task-id <task_id> [--artifacts-dir <dir>]");
   process.exit(1);
 }
 
-// Artifacts dir: explicit flag > CWD default
 const artifactsDir = artifactsDirIdx !== -1 && process.argv[artifactsDirIdx + 1]
   ? resolve(process.argv[artifactsDirIdx + 1])
   : join(process.cwd(), ".audit-artifacts");
 
-const sanitized = task_id.replace(/[^a-zA-Z0-9_-]/g, "_");
-const resultPath = join(artifactsDir, "runs", run_id, "task-results", sanitized + ".json");
+const sanitized = taskId.replace(/[^a-zA-Z0-9_-]/g, "_");
+const resultPath = join(artifactsDir, "runs", runId, "task-results", sanitized + ".json");
 
 if (!existsSync(resultPath)) {
   console.error(`File not found: ${resultPath}`);
@@ -47,25 +34,24 @@ try {
   process.exit(1);
 }
 
-const tasksPath = join(artifactsDir, "runs", run_id, "pending-audit-tasks.json");
-let fileLineCounts = {};
+const tasksPath = join(artifactsDir, "runs", runId, "pending-audit-tasks.json");
+let task = null;
 if (existsSync(tasksPath)) {
   try {
     const tasks = JSON.parse(readFileSync(tasksPath, "utf8"));
-    const task = tasks.find(t => t.task_id === task_id);
-    fileLineCounts = task?.file_line_counts ?? {};
+    task = tasks.find(t => t.task_id === taskId) ?? null;
   } catch {
-    // use empty
+    // proceed without task context
   }
 }
 
-const { valid, errors } = validateResult(resultObj, fileLineCounts);
+const { valid, errors } = validateResult(resultObj, task);
 
 if (valid) {
-  console.log("✓ valid:", task_id);
+  console.log("✓ valid:", taskId);
   process.exit(0);
 } else {
-  console.error("✗ invalid:", task_id);
+  console.error("✗ invalid:", taskId);
   console.error(JSON.stringify(errors, null, 2));
   process.exit(1);
 }

package/dispatch/validate.mjs

@@ -1,88 +1,16 @@
-import { dirname, resolve, join } from "node:path";
-import { fileURLToPath } from "node:url";
-import { readFileSync } from "node:fs";
-import Ajv2020 from "ajv/dist/2020.js";
-
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = dirname(__filename);
-const PROJECT_ROOT = resolve(__dirname, "..");
-const SCHEMAS_DIR = join(PROJECT_ROOT, "schemas");
-
-function loadSchema(name) {
-  return JSON.parse(readFileSync(join(SCHEMAS_DIR, name), "utf8"));
-}
-
-let _ajv = null;
-let _validateFn = null;
-
-function getValidator() {
-  if (_validateFn) return _validateFn;
-  _ajv = new Ajv2020({ strict: false, allErrors: true });
-  _ajv.addSchema(loadSchema("finding.schema.json"));
-  _validateFn = _ajv.compile(loadSchema("audit_result.schema.json"));
-  return _validateFn;
-}
-
-function formatAjvError(e) {
-  const path = e.instancePath || "(root)";
-  return `${path}: ${e.message}${e.params ? " (" + JSON.stringify(e.params) + ")" : ""}`;
-}
+import { validateAuditResults } from "../dist/validation/auditResults.js";
 
 /**
  * @param {object} resultObj  — parsed JSON from a task-results file
- * @param {Record<string, number>} fileLineCounts — from the task's file_line_counts
+ * @param {object|null} task  — the matching AuditTask from pending-audit-tasks.json, or null
  * @returns {{ valid: boolean, errors: string[] }}
  */
-export function validateResult(resultObj, fileLineCounts) {
-  const validate = getValidator();
-  const schemaValid = validate(resultObj);
-
-  if (!schemaValid) {
-    return { valid: false, errors: validate.errors.map(formatAjvError) };
-  }
-
-  const errors = [];
-
-  // Line range constraint
-  for (const finding of resultObj.findings) {
-    for (const entry of finding.affected_files) {
-      if (entry.line_end !== undefined) {
-        const coverage = resultObj.file_coverage.find(fc => fc.path === entry.path);
-        if (!coverage) {
-          errors.push(`affected_files path '${entry.path}' not in file_coverage`);
-        } else if (entry.line_end > coverage.total_lines) {
-          errors.push(
-            `finding '${finding.id}': line_end ${entry.line_end} exceeds total_lines ${coverage.total_lines} for ${entry.path}`
-          );
-        }
-      }
-    }
-  }
-
-  // Lens consistency
-  for (const finding of resultObj.findings) {
-    if (finding.lens !== resultObj.lens) {
-      errors.push(
-        `finding '${finding.id}': lens '${finding.lens}' does not match task lens '${resultObj.lens}'`
-      );
-    }
-  }
-
-  // affected_files paths in scope
-  const allowedPaths = new Set(resultObj.file_coverage.map(fc => fc.path));
-  for (const finding of resultObj.findings) {
-    for (const entry of finding.affected_files) {
-      if (!allowedPaths.has(entry.path)) {
-        errors.push(
-          `finding '${finding.id}': affected path '${entry.path}' not in task file_coverage`
-        );
-      }
-    }
-  }
-
-  if (errors.length > 0) {
-    return { valid: false, errors };
-  }
-
-  return { valid: true, errors: [] };
+export function validateResult(resultObj, task) {
+  const tasks = task ? [task] : [];
+  const lineIndex = task?.file_line_counts ?? {};
+  const issues = validateAuditResults([resultObj], tasks, { lineIndex });
+  const errors = issues
+    .filter(i => i.severity === "error")
+    .map(i => `${i.path}: ${i.message}`);
+  return { valid: errors.length === 0, errors };
 }

package/dist/cli.js

@@ -1501,12 +1501,16 @@ async function cmdMergeAndIngest(argv) {
     const taskResultsDir = join(runDir, "task-results");
     const auditResultsPath = join(runDir, "audit-results.json");
     const taskPath = join(runDir, "task.json");
-    // Merge: collect all per-task result files (skip .prompt.md files)
+    const tasksPath = join(runDir, "pending-audit-tasks.json");
+    let allTasks = [];
+    try {
+        allTasks = await readJsonFile(tasksPath);
+    }
+    catch { /* may not exist */ }
+    const taskMap = new Map(allTasks.map(t => [t.task_id, t]));
     let files;
     try {
-        files = (await readdir(taskResultsDir))
-            .filter(f => f.endsWith(".json"))
-            .sort();
+        files = (await readdir(taskResultsDir)).filter(f => f.endsWith(".json")).sort();
     }
     catch {
         files = [];
@@ -1523,13 +1527,16 @@ async function cmdMergeAndIngest(argv) {
             failing.push({ task_id: filename, errors: [`Invalid JSON: ${e.message}`] });
             continue;
         }
-        const r = obj;
-        const missing = ["task_id", "unit_id", "pass_id", "lens", "file_coverage", "findings"].filter(f => !(f in r));
-        if (missing.length > 0) {
-            failing.push({ task_id: String(r.task_id ?? filename), errors: [`Missing required fields: ${missing.join(", ")}`] });
+        const taskId = typeof obj.task_id === "string"
+            ? String(obj.task_id) : undefined;
+        const matchingTask = taskId ? taskMap.get(taskId) : undefined;
+        const issues = validateAuditResults([obj], matchingTask ? [matchingTask] : [], { lineIndex: matchingTask?.file_line_counts ?? {} });
+        const errors = issues.filter(i => i.severity === "error");
+        if (errors.length === 0) {
+            passing.push(obj);
         }
         else {
-            passing.push(obj);
+            failing.push({ task_id: taskId ?? filename, errors: errors.map(i => i.message) });
         }
     }
     await writeJsonFile(auditResultsPath, passing);
@@ -1541,12 +1548,6 @@ async function cmdMergeAndIngest(argv) {
     // Ingest: run worker-run logic against the merged results file
     await cmdWorkerRun([argv[0], argv[1], "worker-run", "--task", taskPath, "--artifacts-dir", artifactsDir]);
 }
-const VALID_LENSES_SET = new Set([
-    "correctness", "architecture", "maintainability", "security", "reliability",
-    "performance", "data_integrity", "tests", "operability", "config_deployment",
-]);
-const VALID_SEVERITIES_SET = new Set(["critical", "high", "medium", "low", "info"]);
-const VALID_CONFIDENCES_SET = new Set(["high", "medium", "low"]);
 async function cmdValidateResult(argv) {
     const runId = getFlag(argv, "--run-id");
     const taskId = getFlag(argv, "--task-id");
@@ -1574,102 +1575,22 @@ async function cmdValidateResult(argv) {
         process.exitCode = 1;
         return;
     }
-    const errors = [];
-    // Required top-level fields
-    for (const field of ["task_id", "unit_id", "pass_id", "lens", "file_coverage", "findings"]) {
-        if (!(field in obj))
-            errors.push(`Missing required field: ${field}`);
-    }
-    if (errors.length > 0) {
-        console.error(`✗ invalid: ${taskId}`);
-        for (const e of errors)
-            console.error(`  ${e}`);
-        process.exitCode = 1;
-        return;
-    }
-    // Lens
-    if (typeof obj.lens !== "string" || !VALID_LENSES_SET.has(obj.lens)) {
-        errors.push(`lens must be one of: ${[...VALID_LENSES_SET].join("|")}`);
-    }
-    // file_coverage
-    if (!Array.isArray(obj.file_coverage) || obj.file_coverage.length === 0) {
-        errors.push("file_coverage must be a non-empty array");
-    }
-    else {
-        for (const fc of obj.file_coverage) {
-            const entry = fc;
-            if (typeof entry.path !== "string")
-                errors.push(`file_coverage entry missing string 'path'`);
-            if (typeof entry.total_lines !== "number")
-                errors.push(`file_coverage entry missing numeric 'total_lines'`);
-        }
-    }
-    // findings
-    if (!Array.isArray(obj.findings)) {
-        errors.push("findings must be an array");
-    }
-    else {
-        for (const f of obj.findings) {
-            const finding = f;
-            for (const field of ["id", "title", "category", "severity", "confidence", "lens", "summary"]) {
-                if (typeof finding[field] !== "string")
-                    errors.push(`finding missing string '${field}'`);
-            }
-            if (typeof finding.severity === "string" && !VALID_SEVERITIES_SET.has(finding.severity)) {
-                errors.push(`finding '${finding.id}': invalid severity '${finding.severity}'`);
-            }
-            if (typeof finding.confidence === "string" && !VALID_CONFIDENCES_SET.has(finding.confidence)) {
-                errors.push(`finding '${finding.id}': invalid confidence '${finding.confidence}'`);
-            }
-            if (!Array.isArray(finding.affected_files) || finding.affected_files.length === 0) {
-                errors.push(`finding '${finding.id}': affected_files must be a non-empty array`);
-            }
-            else {
-                for (const af of finding.affected_files) {
-                    if (typeof af.path !== "string") {
-                        errors.push(`finding '${finding.id}': affected_files entries must be objects with a 'path' key`);
-                    }
-                }
-            }
-            if (!Array.isArray(finding.evidence) || finding.evidence.length === 0) {
-                errors.push(`finding '${finding.id}': evidence must be a non-empty array`);
-            }
-            if (typeof finding.lens === "string" && finding.lens !== obj.lens) {
-                errors.push(`finding '${finding.id}': lens '${finding.lens}' does not match task lens '${obj.lens}'`);
-            }
-        }
-    }
-    // Line range bounds (load from pending-audit-tasks.json if available)
-    let fileLineCounts = {};
+    let allTasks = [];
     try {
-        const tasks = await readJsonFile(tasksPath);
-        const task = tasks.find(t => t.task_id === taskId);
-        fileLineCounts = task?.file_line_counts ?? {};
-    }
-    catch { /* ignore */ }
-    if (Array.isArray(obj.file_coverage) && Array.isArray(obj.findings)) {
-        const coverageMap = new Map(obj.file_coverage.map(fc => [fc.path, fc.total_lines]));
-        const allowedPaths = new Set(coverageMap.keys());
-        for (const f of obj.findings) {
-            for (const af of (f.affected_files ?? [])) {
-                const p = af.path;
-                if (!allowedPaths.has(p))
-                    errors.push(`finding '${f.id}': path '${p}' not in file_coverage`);
-                if (typeof af.line_end === "number") {
-                    const max = coverageMap.get(p) ?? fileLineCounts[p] ?? Infinity;
-                    if (af.line_end > max)
-                        errors.push(`finding '${f.id}': line_end ${af.line_end} exceeds total_lines ${max} for ${p}`);
-                }
-            }
-        }
+        allTasks = await readJsonFile(tasksPath);
     }
+    catch { /* may not exist */ }
+    const matchingTasks = allTasks.filter(t => t.task_id === taskId);
+    const lineIndex = matchingTasks[0]?.file_line_counts ?? {};
+    const issues = validateAuditResults([obj], matchingTasks, { lineIndex });
+    const errors = issues.filter(i => i.severity === "error");
     if (errors.length === 0) {
         console.log(`✓ valid: ${taskId}`);
     }
     else {
         console.error(`✗ invalid: ${taskId}`);
         for (const e of errors)
-            console.error(`  ${e}`);
+            console.error(`  ${e.path}: ${e.message}`);
         process.exitCode = 1;
     }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auditor-lambda",
-  "version": "0.3.1",
+  "version": "0.3.2",
   "private": false,
   "description": "Portable hybrid code-auditing framework for arbitrary repositories.",
   "type": "module",
@@ -38,7 +38,7 @@
     "start": "node dist/index.js",
     "audit-code": "node audit-code.mjs",
     "sample-run": "node dist/index.js sample-run",
-    "dispatch:prepare": "node dispatch/prepare-dispatch.mjs",
+    "dispatch:prepare": "node audit-code.mjs prepare-dispatch",
     "dispatch:merge": "node dispatch/merge-results.mjs",
     "dispatch:validate": "node dispatch/validate-result.mjs"
   },

package/dispatch/prepare-dispatch.mjs

@@ -1,136 +0,0 @@
-import { dirname, resolve, join } from "node:path";
-import { fileURLToPath } from "node:url";
-import { readFileSync, writeFileSync, mkdirSync } from "node:fs";
-
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = dirname(__filename);
-const PACKAGE_ROOT = resolve(__dirname, "..");
-
-// Parse --run-id
-const runIdIdx = process.argv.indexOf("--run-id");
-if (runIdIdx === -1 || !process.argv[runIdIdx + 1]) {
-  console.error("Usage: node dispatch/prepare-dispatch.mjs --run-id <run_id> [--artifacts-dir <dir>]");
-  process.exit(1);
-}
-const run_id = process.argv[runIdIdx + 1];
-
-// Parse --artifacts-dir (default: CWD/.audit-artifacts)
-const artifactsDirIdx = process.argv.indexOf("--artifacts-dir");
-const artifactsDir = artifactsDirIdx !== -1 && process.argv[artifactsDirIdx + 1]
-  ? resolve(process.argv[artifactsDirIdx + 1])
-  : join(process.cwd(), ".audit-artifacts");
-
-const runDir = join(artifactsDir, "runs", run_id);
-const tasksPath = join(runDir, "pending-audit-tasks.json");
-const taskResultsDir = join(runDir, "task-results");
-const dispatchPlanPath = join(runDir, "dispatch-plan.json");
-
-let tasks;
-try {
-  tasks = JSON.parse(readFileSync(tasksPath, "utf8"));
-} catch (e) {
-  console.error(`Cannot read ${tasksPath}: ${e.message}`);
-  process.exit(1);
-}
-
-const lensDefinitions = JSON.parse(
-  readFileSync(join(__dirname, "lens-definitions.json"), "utf8")
-);
-
-mkdirSync(taskResultsDir, { recursive: true });
-
-function buildPrompt(task, lensDef, outputPath, runId, artifactsDir) {
-  const fileList = task.file_paths.map(p => {
-    const lines = task.file_line_counts?.[p] ?? 0;
-    return `- ${p} (${lines} lines)`;
-  }).join("\n");
-
-  return `You are a code auditor. Review the files below under the specified lens.
-
-## Task
-task_id: ${task.task_id}
-unit_id: ${task.unit_id}
-pass_id: ${task.pass_id}
-lens: ${task.lens}
-
-## Files to read
-Use your Read tool. Paths are repo-relative from the current working directory.
-${fileList}
-
-## Lens: ${task.lens}
-${lensDef?.description ?? task.lens}
-
-Do NOT report: ${lensDef?.do_not_report ?? "N/A"}
-
-## Output
-Write a single JSON object to: ${outputPath}
-
-Required fields:
-  task_id       copy from task metadata above
-  unit_id       copy from task metadata above
-  pass_id       copy from task metadata above
-  lens          copy from task metadata above
-  file_coverage [{path, total_lines}] — one entry per file; use the line counts listed above
-  findings      [] or array of finding objects (see below)
-
-Each finding object (omit optional fields if not applicable):
-  id            unique ID, e.g. "SEC-001"
-  title         short title
-  category      correctness|architecture|maintainability|security|reliability|performance|data_integrity|tests|operability|config_deployment
-  severity      critical|high|medium|low|info
-  confidence    high|medium|low
-  lens          "${task.lens}" — must match task lens exactly
-  summary       1–2 sentence description
-  affected_files  [{path, line_start?, line_end?, symbol?}] — objects, not strings; min 1 entry
-  evidence     ["path/to/file.ts:42 — description of what you see there"] — min 1 entry
-
-Constraints:
-1. line_end must not exceed the file's actual line count (use the counts listed above)
-2. affected_files entries are OBJECTS with a "path" key — NOT plain strings
-3. Only reference files from the list above
-4. findings: [] is correct when you find nothing genuine — do not invent findings
-
-## Validate
-After writing your result, run:
-  audit-code validate-result --run-id ${runId} --task-id ${task.task_id} --artifacts-dir ${artifactsDir}
-
-Exit 0 means valid. Non-zero: read the errors, fix your JSON, rewrite the file, run again. Retry up to 3 times.`;
-}
-
-const plan = [];
-let largestTask = null;
-let largestLines = 0;
-
-for (const task of tasks) {
-  const sanitizedId = task.task_id.replace(/[^a-zA-Z0-9_-]/g, "_");
-  const outputPath = join(taskResultsDir, sanitizedId + ".json");
-  const promptPath = join(taskResultsDir, sanitizedId + ".prompt.md");
-  const lensDef = lensDefinitions[task.lens];
-
-  if (!lensDef) {
-    process.stderr.write(`Warning: no lens definition for '${task.lens}' (task ${task.task_id})\n`);
-  }
-
-  const totalFileLines = Object.values(task.file_line_counts ?? {}).reduce((a, b) => a + b, 0);
-
-  if (totalFileLines > largestLines) {
-    largestLines = totalFileLines;
-    largestTask = task.task_id;
-  }
-  if (totalFileLines > 1500) {
-    process.stderr.write(`Warning: large task ${task.task_id} (~${totalFileLines} lines) may hit quota limits\n`);
-  }
-
-  const prompt = buildPrompt(task, lensDef, outputPath, run_id, artifactsDir);
-  writeFileSync(promptPath, prompt, "utf8");
-
-  const description = `Audit ${task.unit_id} (${task.file_paths.length} file(s), ~${totalFileLines} lines) — ${task.lens} lens`;
-  plan.push({ task_id: task.task_id, description, output_path: outputPath, prompt_path: promptPath });
-}
-
-writeFileSync(dispatchPlanPath, JSON.stringify(plan, null, 2));
-
-console.log(`Wrote dispatch-plan.json — ${plan.length} tasks ready for dispatch`);
-if (largestTask) {
-  console.log(`Largest task: ${largestTask} (~${largestLines} lines)`);
-}