auditor-lambda 0.3.12 → 0.3.14

package/README.md

@@ -30,7 +30,7 @@ npm install -g auditor-lambda
 
 That makes `audit-code` available on `PATH`. During package install, the package
 also writes user-level command/skill assets for hosts we can seed safely, including
-the Claude command file and Codex skill bundle.
+the Claude command file and global Codex skill bundle.
 
 After that, invoke `/audit-code` in a supported host. The prompt self-bootstraps
 the current repository by running:
@@ -51,7 +51,7 @@ audit-code install
 
 That bootstraps repo-local `/audit-code` surfaces for the hosts we can automate today, including:
 
-- Codex skill bundle, `AGENTS.md` guidance, and MCP setup notes
+- Codex `AGENTS.md` fallback guidance for the global skill surface
 - Claude Desktop local MCP bundle artifacts and project template guidance
 - OpenCode command, skill, and `opencode.json` surfaces
 - VS Code prompt, custom agent, Copilot instructions, and `.vscode/mcp.json`
@@ -190,20 +190,25 @@ Optional backend config:
 - use `provider: "auto"` only when you want best-effort routing across installed backends
 - treat explicit provider bridges as compatibility fallback, not as the intended owner of semantic review
 
-## Implementation Next Steps
+## Current Development Focus
 
 The next implementation work is tracked in:
 
-- `docs/next-steps.md`
+- `docs/product.md`
+- `docs/development.md`
+- `docs/handoff.md`
 
 The short version is:
 
 - keep the packet dispatch workflow verified in real host environments
-- benchmark `/audit-code` packet counts and warning counts against nontrivial external repositories
-- prove the generated Codex, Claude Desktop, OpenCode, VS Code, and Antigravity guidance in real host flows
+- make graph-informed packetization observable before adding more ecosystem-specific parsers
+- consolidate graph extraction and exercise generic ownership hints for analyzer-supplied module roots
+- add deterministic Python import, package, and test/source graph support as a core language path
+- use semantic/NLP-style affinity only as low-authority context unless deterministic graph evidence supports it
+- keep generated Codex, Claude Desktop, OpenCode, VS Code, and Antigravity guidance aligned with real host behavior
 - tighten the repo-local MCP-first bootstrap where host smoke tests expose friction
 - polish provider-assisted continuation and failure guidance
-- finish publish and release hardening for packaged installs
+- keep schema contracts and examples easy for workers and host integrations to validate
 
 ## Build And Test
 
@@ -214,24 +219,15 @@ npm run release:patch
 npm run release:patch:publish
 ```
 
-For GitHub Actions publication and npm Trusted Publishing setup, see `docs/releasing.md`.
+For GitHub Actions publication and npm Trusted Publishing setup, see `docs/release.md`.
 
 ## Key Docs
 
-- `docs/product-direction.md`
-- `docs/workflow-refactor-brief.md`
-- `docs/remediation-baseline.md`
-- `docs/releasing.md`
-- `docs/production-readiness.md`
-- `docs/production-launch-bar.md`
-- `docs/next-steps.md`
+- `docs/product.md`
+- `docs/operator-guide.md`
+- `docs/contracts.md`
+- `docs/release.md`
+- `docs/development.md`
+- `docs/handoff.md`
+- `docs/history.md`
 - `skills/audit-code/SKILL.md`
-- `docs/bootstrap-install.md`
-- `docs/agent-integrations.md`
-- `docs/github-copilot.md`
-- `docs/contract.md`
-- `docs/model-selection.md`
-- `docs/packaging.md`
-- `docs/session-config.md`
-- `docs/supervisor.md`
-- `docs/windows-setup.md`

package/audit-code-wrapper-lib.mjs

@@ -398,6 +398,23 @@ async function writeGeneratedMarkdown(targetPath, content) {
   };
 }
 
+async function removeGeneratedMarkdownIfMatches(targetPath, expectedContent) {
+  const existing = await readTextIfExists(targetPath);
+  if (existing === null) {
+    return null;
+  }
+
+  if (normalizeNewlines(existing) !== normalizeNewlines(expectedContent)) {
+    return null;
+  }
+
+  await unlink(targetPath);
+  return {
+    path: targetPath,
+    mode: 'removed',
+  };
+}
+
 async function writeGeneratedJson(targetPath, value) {
   const existed = await fileExists(targetPath);
   await mkdir(dirname(targetPath), { recursive: true });
@@ -628,7 +645,7 @@ function renderClaudeDesktopProjectTemplate() {
     '',
     '- `.audit-code/install/audit-code.import.md`',
     '- `.audit-code/install/GETTING-STARTED.md`',
-    '- `docs/agent-integrations.md` when you want host-specific operator context',
+    '- `docs/operator-guide.md` when you want host-specific operator context',
     '',
     'Starter prompt:',
     '',
@@ -1021,22 +1038,20 @@ const INSTALL_HOST_DEFINITIONS = {
     host: 'codex',
     label: 'Codex',
     support_level: 'supported',
-    setup_kind: 'skills+mcp+instructions',
+    setup_kind: 'global-skill+instructions',
     summary:
-      'Use the generated Codex skill bundle, AGENTS instructions, and shared MCP launcher so Codex can drive the backend through native tools instead of raw shell commands.',
-    primary_path_key: 'codexSkillPath',
+      'Use the global Codex skill installed by npm plus AGENTS fallback instructions for this repository. Repo-local Codex skill bundles are intentionally not generated.',
+    primary_path_key: 'agentsInstructionsPath',
     supporting_path_keys: [
-      'agentsInstructionsPath',
-      'codexMcpSetupPath',
-      'codexAutomationRecipePath',
+      'installedPromptPath',
+      'mcpLauncherPath',
     ],
     steps: [
       'Open this repository in Codex.',
-      'Ensure Codex can access the repo-local auditor MCP server using the generated setup guide.',
-      'Ask Codex to use the auditor MCP tools to start or continue `/audit-code`.',
+      'Use the global `/audit-code` skill installed by `npm install -g auditor-lambda`.',
+      'If the global skill is unavailable, follow the AGENTS fallback instructions that point at the repo-local prompt asset.',
     ],
     profile: {
-      writeCodex: true,
       writeAgents: true,
     },
   },
@@ -1685,43 +1700,14 @@ async function verifyInstalledBootstrap(argv) {
 
     switch (hostKey) {
       case 'codex':
-        await collectVerifyCheck(checks, 'codex_skill', async () => {
-          const content = await readFile(assetPaths.codexSkillPath, 'utf8');
-          if (!content.includes('# audit-code skill')) {
-            throw new Error(`Codex skill file is missing the expected heading: ${assetPaths.codexSkillPath}`);
-          }
-          const sourceSkill = (await readFile(skillAssetPath, 'utf8')).replace(/\r\n/g, '\n');
-          if (content.replace(/\r\n/g, '\n') !== sourceSkill) {
-            throw new Error(
-              `Codex skill is out of sync with the source skill. Run "audit-code install --host codex" or "audit-code install".`,
-            );
+        await collectVerifyCheck(checks, 'codex_global_surface', async () => {
+          const content = await readFile(assetPaths.agentsInstructionsPath, 'utf8');
+          if (!content.includes('/audit-code')) {
+            throw new Error(`AGENTS instructions do not reference /audit-code: ${assetPaths.agentsInstructionsPath}`);
           }
           return {
-            summary: 'Codex skill bundle is present and matches the source skill.',
-            path: assetPaths.codexSkillPath,
-          };
-        });
-        await collectVerifyCheck(checks, 'codex_prompt', async () => {
-          const content = await readFile(assetPaths.codexPromptPath, 'utf8');
-          const sourcePrompt = await readFile(promptAssetPath, 'utf8');
-          if (content !== sourcePrompt) {
-            throw new Error(
-              `Codex prompt is out of sync with the source prompt. Run "audit-code install --host codex" or "audit-code install".`,
-            );
-          }
-          return {
-            summary: 'Codex prompt bundle is present and matches the source prompt.',
-            path: assetPaths.codexPromptPath,
-          };
-        });
-        await collectVerifyCheck(checks, 'codex_mcp_setup', async () => {
-          const content = await readFile(assetPaths.codexMcpSetupPath, 'utf8');
-          if (!content.includes(MCP_LAUNCHER_FILENAME)) {
-            throw new Error(`Codex MCP setup guide does not reference ${MCP_LAUNCHER_FILENAME}.`);
-          }
-          return {
-            summary: 'Codex MCP setup guide references the shared launcher.',
-            path: assetPaths.codexMcpSetupPath,
+            summary: 'Codex uses the global skill surface with AGENTS fallback instructions.',
+            path: assetPaths.agentsInstructionsPath,
           };
         });
         break;
@@ -1989,6 +1975,10 @@ async function detectBootstrapRefreshReason(root, host) {
     (installManifest.hosts ?? []).map((entry) => entry.host),
   );
 
+  if (hostCatalog.has('codex') && (assetPaths.codexSkillPath || assetPaths.codexPromptPath)) {
+    return 'legacy_repo_local_codex_skill';
+  }
+
   for (const hostKey of getInstallHostKeys(host)) {
     if (!hostCatalog.has(hostKey)) {
       return `missing_host_surface:${hostKey}`;
@@ -2029,14 +2019,6 @@ async function detectBootstrapRefreshReason(root, host) {
   for (const hostKey of getInstallHostKeys(host)) {
     switch (hostKey) {
       case 'codex': {
-        const codexSkill = await readTextIfExists(assetPaths.codexSkillPath);
-        if (codexSkill?.replace(/\r\n/g, '\n') !== sourceSkill) {
-          return 'stale_host_asset:codex:skill';
-        }
-        const codexPrompt = await readTextIfExists(assetPaths.codexPromptPath);
-        if (codexPrompt !== sourcePrompt) {
-          return 'stale_host_asset:codex:prompt';
-        }
         break;
       }
       case 'opencode': {
@@ -2240,6 +2222,23 @@ async function installBootstrap(argv, options = {}) {
     );
   }
 
+  if (!profile.writeCodex) {
+    const legacyCodexSkillRemoval = await removeGeneratedMarkdownIfMatches(
+      join(root, '.codex', 'skills', 'audit-code', 'SKILL.md'),
+      skillSource,
+    );
+    if (legacyCodexSkillRemoval) {
+      results.push(legacyCodexSkillRemoval);
+    }
+    const legacyCodexPromptRemoval = await removeGeneratedMarkdownIfMatches(
+      join(root, '.codex', 'skills', 'audit-code', 'audit-code.prompt.md'),
+      promptSource,
+    );
+    if (legacyCodexPromptRemoval) {
+      results.push(legacyCodexPromptRemoval);
+    }
+  }
+
   if (profile.writeCodex) {
     results.push(
       await writeGeneratedMarkdown(

package/dist/cli.js

@@ -792,7 +792,7 @@ async function cmdRunToCompletion(argv) {
             });
             const blockRunId = buildRunId(obligationId, runCount + 1);
             const blockPaths = getRunPaths(artifactsDir, blockRunId);
-            const blockPendingTasks = await addFileLineCountHints(root, buildPendingAuditTasks(bundle).slice(0, agentBatchSize));
+            const blockPendingTasks = await addFileLineCountHints(root, buildPendingAuditTasks(bundle));
             const blockPendingTasksPath = join(blockPaths.runDir, "pending-audit-tasks.json");
             const blockAuditResultsPath = join(blockPaths.runDir, "audit-results.json");
             const blockTask = {
@@ -1193,7 +1193,7 @@ async function cmdRunToCompletion(argv) {
             continue;
         }
         const pendingAuditTasks = preferredExecutor === "agent"
-            ? await addFileLineCountHints(root, buildPendingAuditTasks(bundle).slice(0, agentBatchSize))
+            ? await addFileLineCountHints(root, buildPendingAuditTasks(bundle))
             : undefined;
         const pendingAuditTasksPath = preferredExecutor === "agent"
             ? join(paths.runDir, "pending-audit-tasks.json")
@@ -1559,6 +1559,42 @@ function renderAnchorPreview(summary, anchorPath) {
         "",
     ];
 }
+function formatPacketConfidence(value) {
+    return typeof value === "number" && Number.isFinite(value)
+        ? value.toFixed(2)
+        : "n/a";
+}
+function renderPacketGraphContext(packet) {
+    const hasContext = (packet.entrypoints?.length ?? 0) > 0 ||
+        (packet.key_edges?.length ?? 0) > 0 ||
+        (packet.boundary_files?.length ?? 0) > 0 ||
+        packet.quality !== undefined;
+    if (!hasContext) {
+        return [];
+    }
+    const lines = ["## Packet graph context"];
+    if (packet.entrypoints?.length) {
+        lines.push("Entrypoints:");
+        lines.push(...packet.entrypoints.map((entrypoint) => `- ${entrypoint}`));
+    }
+    if (packet.key_edges?.length) {
+        lines.push("Key internal edges:");
+        lines.push(...packet.key_edges.map((edge) => {
+            const kind = edge.kind ? ` [${edge.kind}]` : "";
+            const reason = edge.reason ? ` - ${edge.reason}` : "";
+            return `- ${edge.from} -> ${edge.to}${kind} confidence=${formatPacketConfidence(edge.confidence)}${reason}`;
+        }));
+    }
+    if (packet.boundary_files?.length) {
+        lines.push("Boundary files to check only when evidence crosses the packet:");
+        lines.push(...packet.boundary_files.map((path) => `- ${path}`));
+    }
+    if (packet.quality) {
+        lines.push(`Quality: cohesion=${packet.quality.cohesion_score}, internal_edges=${packet.quality.internal_edge_count}, boundary_edges=${packet.quality.boundary_edge_count}, unexplained_files=${packet.quality.unexplained_file_count}`);
+    }
+    lines.push("");
+    return lines;
+}
 async function cmdPrepareDispatch(argv) {
     const runId = getFlag(argv, "--run-id");
     if (!runId)
@@ -1738,6 +1774,7 @@ async function cmdPrepareDispatch(argv) {
                 : "Use your Read tool. Paths are repo-relative from the current working directory.",
             fileList,
             "",
+            ...renderPacketGraphContext(packet),
             ...largeFileSection,
             "## Tasks",
             ...taskSections,
@@ -1961,13 +1998,12 @@ async function cmdMergeAndIngest(argv) {
     const passing = [];
     const failing = [];
     const seenTaskIds = new Set();
+    let spuriousFileCount = 0;
     for (const filename of files) {
         const filePath = resolve(join(taskResultsDir, filename));
         if (!expectedPaths.has(filePath)) {
-            failing.push({
-                task_id: filename,
-                errors: ["Unexpected task result file; only backend-assigned result paths may be ingested."],
-            });
+            spuriousFileCount++;
+            process.stderr.write(`[merge-and-ingest] Warning: ignoring unexpected file in task-results/: ${filename}\n`);
         }
     }
     for (const task of allTasks) {
@@ -2054,6 +2090,7 @@ async function cmdMergeAndIngest(argv) {
         status: workerResult.status,
         accepted_count: passing.length,
         rejected_count: 0,
+        spurious_file_count: spuriousFileCount,
         finding_count: findingCount,
         audit_results_path: auditResultsPath,
         selected_executor: workerResult.selected_executor,

package/dist/coverage.js

@@ -37,7 +37,9 @@ export function applyFileCoverage(matrix, fileCoverage) {
         const record = matrix.files.find((file) => file.path === coverage.path);
         if (!record || record.audit_status === "excluded")
             continue;
-        if (coverage.lens && !record.completed_lenses.includes(coverage.lens)) {
+        if (coverage.lens &&
+            record.required_lenses.includes(coverage.lens) &&
+            !record.completed_lenses.includes(coverage.lens)) {
             record.completed_lenses.push(coverage.lens);
         }
     }

package/dist/extractors/disposition.js

@@ -1,4 +1,4 @@
-import { isNodeModulesOrGit, isBuildOutput, isVendorPath, isBinaryArtifact, isLicensePath, isLockfilePath, isLogPath, isDocPath, isAuditArtifactPath, isGeneratedInstallArtifactPath, isExamplesOrFixturesPath, normalizeExtractorPath, } from "./pathPatterns.js";
+import { isNodeModulesOrGit, isBuildOutput, isVendorPath, isBinaryArtifact, isLicensePath, isLockfilePath, isLogPath, isDocPath, isAuditArtifactPath, isGeneratedTestArtifactPath, isGeneratedInstallArtifactPath, isExamplesOrFixturesPath, normalizeExtractorPath, } from "./pathPatterns.js";
 function inferDisposition(path) {
     const normalized = normalizeExtractorPath(path);
     if (isNodeModulesOrGit(normalized)) {
@@ -33,6 +33,13 @@ function inferDisposition(path) {
             reason: "Generated audit artifact.",
         };
     }
+    if (isGeneratedTestArtifactPath(normalized)) {
+        return {
+            path,
+            status: "generated",
+            reason: "Generated test artifact.",
+        };
+    }
     if (isDocPath(normalized)) {
         return { path, status: "doc_only", reason: "Documentation artifact." };
     }

package/dist/extractors/graph.d.ts

@@ -1,8 +1,10 @@
 import type { RepoManifest } from "../types.js";
 import type { FileDisposition } from "../types/disposition.js";
+import type { ExternalAnalyzerResults } from "../types/externalAnalyzer.js";
 import type { GraphBundle } from "../types/graph.js";
 export interface BuildGraphBundleOptions {
     fileContents?: Record<string, string>;
+    externalAnalyzerResults?: ExternalAnalyzerResults;
 }
-export declare function buildGraphBundleFromFs(repoManifest: RepoManifest, root: string, disposition?: FileDisposition): Promise<GraphBundle>;
+export declare function buildGraphBundleFromFs(repoManifest: RepoManifest, root: string, disposition?: FileDisposition, options?: Pick<BuildGraphBundleOptions, "externalAnalyzerResults">): Promise<GraphBundle>;
 export declare function buildGraphBundle(repoManifest: RepoManifest, disposition?: FileDisposition, options?: BuildGraphBundleOptions): GraphBundle;