auditor-lambda 0.3.13 → 0.3.15

package/README.md

@@ -30,7 +30,8 @@ npm install -g auditor-lambda
 
 That makes `audit-code` available on `PATH`. During package install, the package
 also writes user-level command/skill assets for hosts we can seed safely, including
-the Claude command file and global Codex skill bundle.
+the Claude command file, the global Codex skill bundle, and the global OpenCode
+slash command entry in `~/.config/opencode/opencode.json`.
 
 After that, invoke `/audit-code` in a supported host. The prompt self-bootstraps
 the current repository by running:
@@ -53,7 +54,7 @@ That bootstraps repo-local `/audit-code` surfaces for the hosts we can automate
 
 - Codex `AGENTS.md` fallback guidance for the global skill surface
 - Claude Desktop local MCP bundle artifacts and project template guidance
-- OpenCode command, skill, and `opencode.json` surfaces
+- OpenCode `opencode.json` with the `/audit-code` slash command and auditor MCP server
 - VS Code prompt, custom agent, Copilot instructions, and `.vscode/mcp.json`
 - Antigravity planning-mode guidance plus the shared repo-local MCP launcher
 
@@ -190,20 +191,25 @@ Optional backend config:
 - use `provider: "auto"` only when you want best-effort routing across installed backends
 - treat explicit provider bridges as compatibility fallback, not as the intended owner of semantic review
 
-## Implementation Next Steps
+## Current Development Focus
 
 The next implementation work is tracked in:
 
-- `docs/next-steps.md`
+- `docs/product.md`
+- `docs/development.md`
+- `docs/handoff.md`
 
 The short version is:
 
 - keep the packet dispatch workflow verified in real host environments
-- benchmark `/audit-code` packet counts and warning counts against nontrivial external repositories
-- prove the generated Codex, Claude Desktop, OpenCode, VS Code, and Antigravity guidance in real host flows
+- make graph-informed packetization observable before adding more ecosystem-specific parsers
+- consolidate graph extraction and exercise generic ownership hints for analyzer-supplied module roots
+- add deterministic Python import, package, and test/source graph support as a core language path
+- use semantic/NLP-style affinity only as low-authority context unless deterministic graph evidence supports it
+- keep generated Codex, Claude Desktop, OpenCode, VS Code, and Antigravity guidance aligned with real host behavior
 - tighten the repo-local MCP-first bootstrap where host smoke tests expose friction
 - polish provider-assisted continuation and failure guidance
-- finish publish and release hardening for packaged installs
+- keep schema contracts and examples easy for workers and host integrations to validate
 
 ## Build And Test
 
@@ -214,24 +220,15 @@ npm run release:patch
 npm run release:patch:publish
 ```
 
-For GitHub Actions publication and npm Trusted Publishing setup, see `docs/releasing.md`.
+For GitHub Actions publication and npm Trusted Publishing setup, see `docs/release.md`.
 
 ## Key Docs
 
-- `docs/product-direction.md`
-- `docs/workflow-refactor-brief.md`
-- `docs/remediation-baseline.md`
-- `docs/releasing.md`
-- `docs/production-readiness.md`
-- `docs/production-launch-bar.md`
-- `docs/next-steps.md`
+- `docs/product.md`
+- `docs/operator-guide.md`
+- `docs/contracts.md`
+- `docs/release.md`
+- `docs/development.md`
+- `docs/handoff.md`
+- `docs/history.md`
 - `skills/audit-code/SKILL.md`
-- `docs/bootstrap-install.md`
-- `docs/agent-integrations.md`
-- `docs/github-copilot.md`
-- `docs/contract.md`
-- `docs/model-selection.md`
-- `docs/packaging.md`
-- `docs/session-config.md`
-- `docs/supervisor.md`
-- `docs/windows-setup.md`

package/audit-code-wrapper-lib.mjs

@@ -533,10 +533,18 @@ function renderCodexAutomationRecipe() {
   ].join('\n');
 }
 
-function renderOpenCodeProjectConfig(root) {
+function renderOpenCodeProjectConfig(root, promptBody) {
   const launcher = replaceBackslashes(toRepoRelativePath(root, join(root, '.audit-code', 'install', MCP_LAUNCHER_FILENAME)));
   return {
     $schema: 'https://opencode.ai/config.json',
+    command: {
+      'audit-code': {
+        template: promptBody.trimStart(),
+        description: 'Autonomous local loop code auditing',
+        agent: 'auditor',
+        subtask: false,
+      },
+    },
     mcp: {
       auditor: {
         type: 'local',
@@ -599,11 +607,15 @@ function objectValue(value) {
     : {};
 }
 
-function buildMergedOpenCodeProjectConfig(existing, root) {
-  const generated = renderOpenCodeProjectConfig(root);
+function buildMergedOpenCodeProjectConfig(existing, root, promptBody) {
+  const generated = renderOpenCodeProjectConfig(root, promptBody);
   return {
     ...existing,
     $schema: existing.$schema ?? generated.$schema,
+    command: {
+      ...objectValue(existing.command),
+      'audit-code': generated.command['audit-code'],
+    },
     mcp: {
       ...objectValue(existing.mcp),
       auditor: generated.mcp.auditor,
@@ -645,7 +657,7 @@ function renderClaudeDesktopProjectTemplate() {
     '',
     '- `.audit-code/install/audit-code.import.md`',
     '- `.audit-code/install/GETTING-STARTED.md`',
-    '- `docs/agent-integrations.md` when you want host-specific operator context',
+    '- `docs/operator-guide.md` when you want host-specific operator context',
     '',
     'Starter prompt:',
     '',
@@ -1084,17 +1096,15 @@ const INSTALL_HOST_DEFINITIONS = {
     support_level: 'supported',
     setup_kind: 'command+agent+mcp',
     summary:
-      'Use the generated OpenCode command and project config so `/audit-code` and the local auditor MCP server are available together.',
-    primary_path_key: 'opencodeCommandPath',
+      'Use the generated `opencode.json` so the `/audit-code` slash command and the local auditor MCP server are both available.',
+    primary_path_key: 'opencodeConfigPath',
     supporting_path_keys: [
-      'opencodeConfigPath',
-      'opencodeSkillPath',
       'agentsInstructionsPath',
       'mcpLauncherPath',
     ],
     steps: [
       'Open this repository in OpenCode.',
-      'Let OpenCode load the generated `opencode.json` so the auditor MCP server is available.',
+      'Let OpenCode load the generated `opencode.json` — it registers the `/audit-code` slash command and the auditor MCP server.',
       'Invoke `/audit-code` and keep the audit loop on the auditor MCP tools.',
     ],
     profile: {
@@ -1792,63 +1802,28 @@ async function verifyInstalledBootstrap(argv) {
         break;
       }
       case 'opencode':
-        await collectVerifyCheck(checks, 'opencode_command', async () => {
-          const content = await readFile(assetPaths.opencodeCommandPath, 'utf8');
-          if (!content.includes('agent: auditor')) {
-            throw new Error(`OpenCode command file is missing the auditor agent frontmatter: ${assetPaths.opencodeCommandPath}`);
-          }
-          const { body: commandBody } = splitFrontmatter(content);
-          const { body: sourceBody } = splitFrontmatter(await readFile(promptAssetPath, 'utf8'));
-          if (commandBody !== sourceBody.trimStart()) {
-            throw new Error(
-              `OpenCode command prompt body is out of sync with the source prompt. Run "audit-code install --host opencode" or "audit-code install".`,
-            );
-          }
-          return {
-            summary: 'OpenCode command file is present and uses the source prompt body.',
-            path: assetPaths.opencodeCommandPath,
-          };
-        });
-        await collectVerifyCheck(checks, 'opencode_skill', async () => {
-          const content = (await readFile(assetPaths.opencodeSkillPath, 'utf8')).replace(/\r\n/g, '\n');
-          const sourceSkill = (await readFile(skillAssetPath, 'utf8')).replace(/\r\n/g, '\n');
-          if (content !== sourceSkill) {
-            throw new Error(
-              `OpenCode skill is out of sync with the source skill. Run "audit-code install --host opencode" or "audit-code install".`,
-            );
-          }
-          return {
-            summary: 'OpenCode skill is present and matches the source skill.',
-            path: assetPaths.opencodeSkillPath,
-          };
-        });
-        await collectVerifyCheck(checks, 'opencode_prompt', async () => {
-          const content = await readFile(assetPaths.opencodePromptPath, 'utf8');
-          const sourcePrompt = await readFile(promptAssetPath, 'utf8');
-          if (content !== sourcePrompt) {
-            throw new Error(
-              `OpenCode prompt is out of sync with the source prompt. Run "audit-code install --host opencode" or "audit-code install".`,
-            );
-          }
-          return {
-            summary: 'OpenCode prompt is present and matches the source prompt.',
-            path: assetPaths.opencodePromptPath,
-          };
-        });
         await collectVerifyCheck(checks, 'opencode_config', async () => {
           const config = await readJson(assetPaths.opencodeConfigPath, 'OpenCode project config');
-          const command = config?.mcp?.auditor?.command;
-          if (!Array.isArray(command) || command[0] !== 'node') {
+          const mcpCommand = config?.mcp?.auditor?.command;
+          if (!Array.isArray(mcpCommand) || mcpCommand[0] !== 'node') {
             throw new Error('OpenCode config must set mcp.auditor.command as a Node command array.');
           }
-          if (command[1] !== '.audit-code/install/run-mcp-server.mjs') {
-            throw new Error(`OpenCode config must point at .audit-code/install/${MCP_LAUNCHER_FILENAME}, got ${command[1] ?? 'missing'}.`);
+          if (mcpCommand[1] !== '.audit-code/install/run-mcp-server.mjs') {
+            throw new Error(`OpenCode config must point at .audit-code/install/${MCP_LAUNCHER_FILENAME}, got ${mcpCommand[1] ?? 'missing'}.`);
           }
           if (config?.mcp?.auditor?.type !== 'local') {
             throw new Error(`OpenCode config must set mcp.auditor.type to "local", got ${config?.mcp?.auditor?.type ?? 'missing'}.`);
           }
+          const commandConfig = config?.command?.['audit-code'];
+          if (!commandConfig?.template) {
+            throw new Error('OpenCode config is missing command["audit-code"].template — the /audit-code slash command will not surface. Run "audit-code install".');
+          }
+          const { body: sourceBody } = splitFrontmatter(await readFile(promptAssetPath, 'utf8'));
+          if (commandConfig.template !== sourceBody.trimStart()) {
+            throw new Error('OpenCode config command["audit-code"].template is out of sync with the source prompt. Run "audit-code install".');
+          }
           return {
-            summary: 'OpenCode project config parsed successfully.',
+            summary: 'OpenCode project config has MCP server and /audit-code slash command.',
             path: assetPaths.opencodeConfigPath,
           };
         });
@@ -2022,20 +1997,9 @@ async function detectBootstrapRefreshReason(root, host) {
         break;
       }
       case 'opencode': {
-        const opencodeSkill = await readTextIfExists(assetPaths.opencodeSkillPath);
-        if (opencodeSkill?.replace(/\r\n/g, '\n') !== sourceSkill) {
-          return 'stale_host_asset:opencode:skill';
-        }
-        const opencodePrompt = await readTextIfExists(assetPaths.opencodePromptPath);
-        if (opencodePrompt !== sourcePrompt) {
-          return 'stale_host_asset:opencode:prompt';
-        }
-        const opencodeCommand = await readTextIfExists(assetPaths.opencodeCommandPath);
-        if (opencodeCommand === null) {
-          return 'missing_host_asset:opencode:command';
-        }
-        if (splitFrontmatter(opencodeCommand).body !== sourcePromptBody.trimStart()) {
-          return 'stale_host_asset:opencode:command';
+        const opencodeConfig = await readJson(assetPaths.opencodeConfigPath, 'OpenCode config').catch(() => null);
+        if (opencodeConfig?.command?.['audit-code']?.template !== sourcePromptBody.trimStart()) {
+          return 'stale_host_asset:opencode:config_command';
         }
         break;
       }
@@ -2164,18 +2128,9 @@ async function installBootstrap(argv, options = {}) {
     claudeDesktopMcpbPath: profile.writeClaudeDesktop
       ? join(root, '.audit-code', 'install', 'claude-desktop', 'auditor-lambda.mcpb')
       : null,
-    opencodeCommandPath: profile.writeOpenCode
-      ? join(root, '.opencode', 'commands', 'audit-code.md')
-      : null,
     opencodeConfigPath: profile.writeOpenCode
       ? join(root, 'opencode.json')
       : null,
-    opencodeSkillPath: profile.writeOpenCode
-      ? join(root, '.opencode', 'skills', 'audit-code', 'SKILL.md')
-      : null,
-    opencodePromptPath: profile.writeOpenCode
-      ? join(root, '.opencode', 'skills', 'audit-code', 'audit-code.prompt.md')
-      : null,
     vscodePromptPath: profile.writeVSCode
       ? join(root, '.github', 'prompts', 'audit-code.prompt.md')
       : null,
@@ -2285,36 +2240,39 @@ async function installBootstrap(argv, options = {}) {
   }
 
   if (profile.writeOpenCode) {
-    results.push(
-      await writeGeneratedMarkdown(
-        assetPaths.opencodeCommandPath,
-        renderPromptFile(
-          {
-            description: 'Autonomous local loop code auditing',
-            agent: 'auditor',
-            subtask: false,
-          },
-          promptBody,
-        ),
-      ),
+    // Clean up legacy command/skill/prompt files that were generated by older installs.
+    // The slash command is now registered via the `command` section in opencode.json.
+    const legacyOpenCodeCommandPath = join(root, '.opencode', 'commands', 'audit-code.md');
+    const legacyOpenCodeCommandContent = renderPromptFile(
+      { description: 'Autonomous local loop code auditing', agent: 'auditor', subtask: false },
+      promptBody,
     );
-    results.push(
-      await writeGeneratedMarkdown(
-        assetPaths.opencodeSkillPath,
-        skillSource,
-      ),
+    const legacyOpenCodeCommandRemoval = await removeGeneratedMarkdownIfMatches(
+      legacyOpenCodeCommandPath,
+      legacyOpenCodeCommandContent,
     );
-    results.push(
-      await writeGeneratedMarkdown(
-        assetPaths.opencodePromptPath,
-        promptSource,
-      ),
+    if (legacyOpenCodeCommandRemoval) {
+      results.push(legacyOpenCodeCommandRemoval);
+    }
+    const legacyOpenCodeSkillRemoval = await removeGeneratedMarkdownIfMatches(
+      join(root, '.opencode', 'skills', 'audit-code', 'SKILL.md'),
+      skillSource,
     );
+    if (legacyOpenCodeSkillRemoval) {
+      results.push(legacyOpenCodeSkillRemoval);
+    }
+    const legacyOpenCodePromptRemoval = await removeGeneratedMarkdownIfMatches(
+      join(root, '.opencode', 'skills', 'audit-code', 'audit-code.prompt.md'),
+      promptSource,
+    );
+    if (legacyOpenCodePromptRemoval) {
+      results.push(legacyOpenCodePromptRemoval);
+    }
     results.push(
       await writeMergedGeneratedJson(
         assetPaths.opencodeConfigPath,
         'OpenCode project config',
-        (existing) => buildMergedOpenCodeProjectConfig(existing, root),
+        (existing) => buildMergedOpenCodeProjectConfig(existing, root, promptBody),
       ),
     );
   }
@@ -2415,7 +2373,7 @@ async function installBootstrap(argv, options = {}) {
     files: results,
     slash_command_surfaces: {
       vscode_prompt: assetPaths.vscodePromptPath,
-      opencode_command: assetPaths.opencodeCommandPath,
+      opencode_config: assetPaths.opencodeConfigPath,
     },
     instruction_surfaces: {
       agents: assetPaths.agentsInstructionsPath,

package/dist/cli.js

@@ -1559,6 +1559,42 @@ function renderAnchorPreview(summary, anchorPath) {
         "",
     ];
 }
+function formatPacketConfidence(value) {
+    return typeof value === "number" && Number.isFinite(value)
+        ? value.toFixed(2)
+        : "n/a";
+}
+function renderPacketGraphContext(packet) {
+    const hasContext = (packet.entrypoints?.length ?? 0) > 0 ||
+        (packet.key_edges?.length ?? 0) > 0 ||
+        (packet.boundary_files?.length ?? 0) > 0 ||
+        packet.quality !== undefined;
+    if (!hasContext) {
+        return [];
+    }
+    const lines = ["## Packet graph context"];
+    if (packet.entrypoints?.length) {
+        lines.push("Entrypoints:");
+        lines.push(...packet.entrypoints.map((entrypoint) => `- ${entrypoint}`));
+    }
+    if (packet.key_edges?.length) {
+        lines.push("Key internal edges:");
+        lines.push(...packet.key_edges.map((edge) => {
+            const kind = edge.kind ? ` [${edge.kind}]` : "";
+            const reason = edge.reason ? ` - ${edge.reason}` : "";
+            return `- ${edge.from} -> ${edge.to}${kind} confidence=${formatPacketConfidence(edge.confidence)}${reason}`;
+        }));
+    }
+    if (packet.boundary_files?.length) {
+        lines.push("Boundary files to check only when evidence crosses the packet:");
+        lines.push(...packet.boundary_files.map((path) => `- ${path}`));
+    }
+    if (packet.quality) {
+        lines.push(`Quality: cohesion=${packet.quality.cohesion_score}, internal_edges=${packet.quality.internal_edge_count}, boundary_edges=${packet.quality.boundary_edge_count}, unexplained_files=${packet.quality.unexplained_file_count}`);
+    }
+    lines.push("");
+    return lines;
+}
 async function cmdPrepareDispatch(argv) {
     const runId = getFlag(argv, "--run-id");
     if (!runId)
@@ -1738,6 +1774,7 @@ async function cmdPrepareDispatch(argv) {
                 : "Use your Read tool. Paths are repo-relative from the current working directory.",
             fileList,
             "",
+            ...renderPacketGraphContext(packet),
             ...largeFileSection,
             "## Tasks",
             ...taskSections,
@@ -1961,13 +1998,12 @@ async function cmdMergeAndIngest(argv) {
     const passing = [];
     const failing = [];
     const seenTaskIds = new Set();
+    let spuriousFileCount = 0;
     for (const filename of files) {
         const filePath = resolve(join(taskResultsDir, filename));
         if (!expectedPaths.has(filePath)) {
-            failing.push({
-                task_id: filename,
-                errors: ["Unexpected task result file; only backend-assigned result paths may be ingested."],
-            });
+            spuriousFileCount++;
+            process.stderr.write(`[merge-and-ingest] Warning: ignoring unexpected file in task-results/: ${filename}\n`);
         }
     }
     for (const task of allTasks) {
@@ -2054,6 +2090,7 @@ async function cmdMergeAndIngest(argv) {
         status: workerResult.status,
         accepted_count: passing.length,
         rejected_count: 0,
+        spurious_file_count: spuriousFileCount,
         finding_count: findingCount,
         audit_results_path: auditResultsPath,
         selected_executor: workerResult.selected_executor,

package/dist/coverage.js

@@ -37,7 +37,9 @@ export function applyFileCoverage(matrix, fileCoverage) {
         const record = matrix.files.find((file) => file.path === coverage.path);
         if (!record || record.audit_status === "excluded")
             continue;
-        if (coverage.lens && !record.completed_lenses.includes(coverage.lens)) {
+        if (coverage.lens &&
+            record.required_lenses.includes(coverage.lens) &&
+            !record.completed_lenses.includes(coverage.lens)) {
             record.completed_lenses.push(coverage.lens);
         }
     }

package/dist/extractors/disposition.js

@@ -1,4 +1,4 @@
-import { isNodeModulesOrGit, isBuildOutput, isVendorPath, isBinaryArtifact, isLicensePath, isLockfilePath, isLogPath, isDocPath, isAuditArtifactPath, isGeneratedInstallArtifactPath, isExamplesOrFixturesPath, normalizeExtractorPath, } from "./pathPatterns.js";
+import { isNodeModulesOrGit, isBuildOutput, isVendorPath, isBinaryArtifact, isLicensePath, isLockfilePath, isLogPath, isDocPath, isAuditArtifactPath, isGeneratedTestArtifactPath, isGeneratedInstallArtifactPath, isExamplesOrFixturesPath, normalizeExtractorPath, } from "./pathPatterns.js";
 function inferDisposition(path) {
     const normalized = normalizeExtractorPath(path);
     if (isNodeModulesOrGit(normalized)) {
@@ -33,6 +33,13 @@ function inferDisposition(path) {
             reason: "Generated audit artifact.",
         };
     }
+    if (isGeneratedTestArtifactPath(normalized)) {
+        return {
+            path,
+            status: "generated",
+            reason: "Generated test artifact.",
+        };
+    }
     if (isDocPath(normalized)) {
         return { path, status: "doc_only", reason: "Documentation artifact." };
     }

package/dist/extractors/graph.d.ts

@@ -1,8 +1,10 @@
 import type { RepoManifest } from "../types.js";
 import type { FileDisposition } from "../types/disposition.js";
+import type { ExternalAnalyzerResults } from "../types/externalAnalyzer.js";
 import type { GraphBundle } from "../types/graph.js";
 export interface BuildGraphBundleOptions {
     fileContents?: Record<string, string>;
+    externalAnalyzerResults?: ExternalAnalyzerResults;
 }
-export declare function buildGraphBundleFromFs(repoManifest: RepoManifest, root: string, disposition?: FileDisposition): Promise<GraphBundle>;
+export declare function buildGraphBundleFromFs(repoManifest: RepoManifest, root: string, disposition?: FileDisposition, options?: Pick<BuildGraphBundleOptions, "externalAnalyzerResults">): Promise<GraphBundle>;
 export declare function buildGraphBundle(repoManifest: RepoManifest, disposition?: FileDisposition, options?: BuildGraphBundleOptions): GraphBundle;