auditor-lambda 0.3.18 → 0.3.20

package/dist/extractors/browserExtension.js

@@ -0,0 +1,378 @@
+import { posix } from "node:path";
+import { isAuditExcludedStatus } from "./disposition.js";
+import { graphEdge, normalizeGraphPath, resolveCandidate, } from "./graphPathUtils.js";
+export const BROWSER_EXTENSION_HEURISTIC_NOTE = "Chrome extension manifest and HTML asset references were resolved deterministically from local paths; verify unusual dynamic registration manually.";
+const CHROME_EXTENSION_BACKGROUND_EDGE = "chrome-extension-background-link";
+const CHROME_EXTENSION_CONTENT_SCRIPT_EDGE = "chrome-extension-content-script-link";
+const CHROME_EXTENSION_CONTENT_STYLE_EDGE = "chrome-extension-content-style-link";
+const CHROME_EXTENSION_UI_PAGE_EDGE = "chrome-extension-ui-page-link";
+const CHROME_EXTENSION_WEB_ACCESSIBLE_EDGE = "chrome-extension-web-accessible-resource-link";
+const HTML_RESOURCE_EDGE = "html-resource-link";
+const CHROME_EXTENSION_EDGE_CONFIDENCE = 0.94;
+const HTML_RESOURCE_EDGE_CONFIDENCE = 0.86;
+const EXTENSION_SURFACE_EDGE_KINDS = new Set([
+    CHROME_EXTENSION_BACKGROUND_EDGE,
+    CHROME_EXTENSION_CONTENT_SCRIPT_EDGE,
+    CHROME_EXTENSION_UI_PAGE_EDGE,
+]);
+const HIGH_RISK_PERMISSION_TOKENS = [
+    "<all_urls>",
+    "activeTab",
+    "debugger",
+    "declarativeNetRequest",
+    "downloads",
+    "downloads.open",
+    "nativeMessaging",
+    "proxy",
+    "scripting",
+    "tabs",
+    "unlimitedStorage",
+    "webNavigation",
+    "webRequest",
+];
+function isRecord(value) {
+    return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+function asString(value) {
+    return typeof value === "string" && value.trim().length > 0
+        ? value.trim()
+        : undefined;
+}
+function asStringArray(value) {
+    return Array.isArray(value)
+        ? value
+            .map((item) => asString(item))
+            .filter((item) => item !== undefined)
+        : [];
+}
+function parseJsonObject(content) {
+    try {
+        const parsed = JSON.parse(content);
+        return isRecord(parsed) ? parsed : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+export function isBrowserExtensionManifestPath(path) {
+    return posix.basename(normalizeGraphPath(path)).toLowerCase() === "manifest.json";
+}
+function isBrowserExtensionManifest(value) {
+    return (typeof value.manifest_version === "number" &&
+        (isRecord(value.background) ||
+            Array.isArray(value.content_scripts) ||
+            isRecord(value.action) ||
+            isRecord(value.browser_action) ||
+            isRecord(value.page_action) ||
+            isRecord(value.side_panel) ||
+            isRecord(value.options_ui) ||
+            typeof value.options_page === "string" ||
+            typeof value.devtools_page === "string" ||
+            isRecord(value.chrome_url_overrides) ||
+            Array.isArray(value.web_accessible_resources)));
+}
+function localPathCandidate(specifier) {
+    const withoutQuery = specifier.trim().split(/[?#]/, 1)[0]?.trim() ?? "";
+    if (withoutQuery.length === 0 ||
+        withoutQuery.startsWith("<") ||
+        withoutQuery.includes("*") ||
+        /^[a-z][a-z0-9+.-]*:/i.test(withoutQuery) ||
+        withoutQuery.startsWith("//")) {
+        return undefined;
+    }
+    return normalizeGraphPath(withoutQuery).replace(/^\/+/, "");
+}
+function resolveLocalReference(fromPath, specifier, pathLookup) {
+    const local = localPathCandidate(specifier);
+    if (!local) {
+        return undefined;
+    }
+    const isRootRelative = specifier.trim().startsWith("/");
+    const baseDir = posix.dirname(normalizeGraphPath(fromPath));
+    const candidate = isRootRelative || baseDir === "." ? local : posix.join(baseDir, local);
+    return resolveCandidate(candidate, pathLookup);
+}
+function addManifestReference(edges, params) {
+    const target = resolveLocalReference(params.fromPath, params.specifier, params.pathLookup);
+    if (!target) {
+        return;
+    }
+    edges.push(graphEdge({
+        from: params.fromPath,
+        to: target,
+        kind: params.kind,
+        confidence: CHROME_EXTENSION_EDGE_CONFIDENCE,
+        reason: `Chrome extension manifest field '${params.field}' references '${params.specifier}'.`,
+    }));
+}
+function collectExtensionUiPageReferences(manifest) {
+    const entries = [];
+    for (const objectField of ["action", "browser_action", "page_action"]) {
+        const value = manifest[objectField];
+        if (isRecord(value)) {
+            const popup = asString(value.default_popup);
+            if (popup)
+                entries.push({ field: `${objectField}.default_popup`, specifier: popup });
+        }
+    }
+    const sidePanel = manifest.side_panel;
+    if (isRecord(sidePanel)) {
+        const path = asString(sidePanel.default_path);
+        if (path)
+            entries.push({ field: "side_panel.default_path", specifier: path });
+    }
+    const optionsPage = asString(manifest.options_page);
+    if (optionsPage)
+        entries.push({ field: "options_page", specifier: optionsPage });
+    const optionsUi = manifest.options_ui;
+    if (isRecord(optionsUi)) {
+        const page = asString(optionsUi.page);
+        if (page)
+            entries.push({ field: "options_ui.page", specifier: page });
+    }
+    const devtoolsPage = asString(manifest.devtools_page);
+    if (devtoolsPage)
+        entries.push({ field: "devtools_page", specifier: devtoolsPage });
+    const overrides = manifest.chrome_url_overrides;
+    if (isRecord(overrides)) {
+        for (const [key, value] of Object.entries(overrides)) {
+            const page = asString(value);
+            if (page)
+                entries.push({ field: `chrome_url_overrides.${key}`, specifier: page });
+        }
+    }
+    const sandbox = manifest.sandbox;
+    if (isRecord(sandbox)) {
+        asStringArray(sandbox.pages).forEach((page, index) => entries.push({ field: `sandbox.pages.${index}`, specifier: page }));
+    }
+    return entries;
+}
+function collectWebAccessibleReferences(manifest) {
+    const entries = [];
+    const resources = manifest.web_accessible_resources;
+    if (!Array.isArray(resources)) {
+        return entries;
+    }
+    resources.forEach((item, index) => {
+        if (typeof item === "string") {
+            entries.push({
+                field: `web_accessible_resources.${index}`,
+                specifier: item,
+            });
+            return;
+        }
+        if (!isRecord(item)) {
+            return;
+        }
+        asStringArray(item.resources).forEach((resource, resourceIndex) => entries.push({
+            field: `web_accessible_resources.${index}.resources.${resourceIndex}`,
+            specifier: resource,
+        }));
+    });
+    return entries;
+}
+export function extractChromeExtensionManifestEdges(fromPath, content, pathLookup) {
+    if (!isBrowserExtensionManifestPath(fromPath)) {
+        return [];
+    }
+    const manifest = parseJsonObject(content);
+    if (!manifest || !isBrowserExtensionManifest(manifest)) {
+        return [];
+    }
+    const edges = [];
+    const background = manifest.background;
+    if (isRecord(background)) {
+        const serviceWorker = asString(background.service_worker);
+        if (serviceWorker) {
+            addManifestReference(edges, {
+                fromPath,
+                field: "background.service_worker",
+                kind: CHROME_EXTENSION_BACKGROUND_EDGE,
+                specifier: serviceWorker,
+                pathLookup,
+            });
+        }
+        asStringArray(background.scripts).forEach((script, index) => addManifestReference(edges, {
+            fromPath,
+            field: `background.scripts.${index}`,
+            kind: CHROME_EXTENSION_BACKGROUND_EDGE,
+            specifier: script,
+            pathLookup,
+        }));
+    }
+    const contentScripts = manifest.content_scripts;
+    if (Array.isArray(contentScripts)) {
+        contentScripts.forEach((item, index) => {
+            if (!isRecord(item)) {
+                return;
+            }
+            asStringArray(item.js).forEach((script, scriptIndex) => addManifestReference(edges, {
+                fromPath,
+                field: `content_scripts.${index}.js.${scriptIndex}`,
+                kind: CHROME_EXTENSION_CONTENT_SCRIPT_EDGE,
+                specifier: script,
+                pathLookup,
+            }));
+            asStringArray(item.css).forEach((style, styleIndex) => addManifestReference(edges, {
+                fromPath,
+                field: `content_scripts.${index}.css.${styleIndex}`,
+                kind: CHROME_EXTENSION_CONTENT_STYLE_EDGE,
+                specifier: style,
+                pathLookup,
+            }));
+        });
+    }
+    for (const { field, specifier } of collectExtensionUiPageReferences(manifest)) {
+        addManifestReference(edges, {
+            fromPath,
+            field,
+            kind: CHROME_EXTENSION_UI_PAGE_EDGE,
+            specifier,
+            pathLookup,
+        });
+    }
+    for (const { field, specifier } of collectWebAccessibleReferences(manifest)) {
+        addManifestReference(edges, {
+            fromPath,
+            field,
+            kind: CHROME_EXTENSION_WEB_ACCESSIBLE_EDGE,
+            specifier,
+            pathLookup,
+        });
+    }
+    return edges;
+}
+function extractHtmlAttributeReferences(content, elementName, attributeName) {
+    const unquotedAttributeValue = "[^\\s\"'<>`]+";
+    const pattern = new RegExp(`<${elementName}\\b[^>]*\\b${attributeName}\\s*=\\s*(?:"([^"]+)"|'([^']+)'|(${unquotedAttributeValue}))`, "gi");
+    const values = [];
+    for (const match of content.matchAll(pattern)) {
+        const value = match[1] ?? match[2] ?? match[3];
+        if (value)
+            values.push(value);
+    }
+    return values;
+}
+export function extractHtmlResourceEdges(fromPath, content, pathLookup) {
+    const normalized = normalizeGraphPath(fromPath).toLowerCase();
+    if (!normalized.endsWith(".html") && !normalized.endsWith(".htm")) {
+        return [];
+    }
+    const references = [
+        ...extractHtmlAttributeReferences(content, "script", "src"),
+        ...extractHtmlAttributeReferences(content, "link", "href"),
+    ];
+    const edges = [];
+    for (const specifier of references) {
+        const target = resolveLocalReference(fromPath, specifier, pathLookup);
+        if (!target) {
+            continue;
+        }
+        edges.push(graphEdge({
+            from: fromPath,
+            to: target,
+            kind: HTML_RESOURCE_EDGE,
+            confidence: HTML_RESOURCE_EDGE_CONFIDENCE,
+            reason: `HTML resource attribute references '${specifier}'.`,
+        }));
+    }
+    return edges;
+}
+export function hasBrowserExtensionManifestFile(repoManifest) {
+    return repoManifest.files.some((file) => normalizeGraphPath(file.path).toLowerCase() === "manifest.json");
+}
+export function deriveBrowserExtensionLensesForPath(path) {
+    const normalized = normalizeGraphPath(path).toLowerCase();
+    if (normalized === "manifest.json") {
+        return ["security", "correctness", "config_deployment", "operability"];
+    }
+    if (normalized.startsWith("service/") ||
+        normalized.startsWith("background/") ||
+        normalized.includes("service-worker") ||
+        normalized.includes("background")) {
+        return ["security", "correctness", "reliability", "observability"];
+    }
+    if (normalized.startsWith("content/") || normalized.includes("content-script")) {
+        return ["security", "correctness", "reliability"];
+    }
+    if (normalized.includes("popup") ||
+        normalized.includes("sidebar") ||
+        normalized.includes("side-panel") ||
+        normalized.includes("panel") ||
+        normalized.endsWith(".html")) {
+        return ["security", "correctness", "maintainability"];
+    }
+    if (normalized.includes("worker")) {
+        return ["correctness", "reliability", "performance"];
+    }
+    return [];
+}
+export function inferBrowserExtensionUnitKind(path) {
+    const normalized = normalizeGraphPath(path).toLowerCase();
+    if (normalized === "manifest.json")
+        return "extension_config";
+    if (normalized.startsWith("service/") || normalized.startsWith("background/")) {
+        return "extension_background";
+    }
+    if (normalized.startsWith("content/"))
+        return "extension_content";
+    if (normalized.includes("worker"))
+        return "worker";
+    if (normalized.endsWith(".html"))
+        return "extension_ui";
+    return undefined;
+}
+function isExecutableExtensionSurfaceTarget(path) {
+    const normalized = normalizeGraphPath(path).toLowerCase();
+    return (normalized.endsWith(".js") ||
+        normalized.endsWith(".mjs") ||
+        normalized.endsWith(".cjs") ||
+        normalized.endsWith(".html") ||
+        normalized.endsWith(".htm"));
+}
+export function buildBrowserExtensionSurfacesFromGraph(graphBundle, disposition) {
+    const references = Array.isArray(graphBundle?.graphs.references)
+        ? graphBundle.graphs.references
+        : [];
+    const dispositionMap = new Map(disposition?.files.map((item) => [item.path, item.status]) ?? []);
+    const surfaces = [];
+    const seen = new Set();
+    for (const edge of references) {
+        if (!edge.kind || !EXTENSION_SURFACE_EDGE_KINDS.has(edge.kind)) {
+            continue;
+        }
+        if (!isExecutableExtensionSurfaceTarget(edge.to)) {
+            continue;
+        }
+        const status = dispositionMap.get(edge.to);
+        if (status && isAuditExcludedStatus(status)) {
+            continue;
+        }
+        const kind = edge.kind === CHROME_EXTENSION_BACKGROUND_EDGE ? "background" : "interface";
+        const key = `${kind}:${edge.to}`;
+        if (seen.has(key)) {
+            continue;
+        }
+        seen.add(key);
+        surfaces.push({
+            id: `surface:${edge.to}`,
+            kind,
+            entrypoint: edge.to,
+            exposure: edge.kind === CHROME_EXTENSION_CONTENT_SCRIPT_EDGE ? "network" : "local",
+            notes: [BROWSER_EXTENSION_HEURISTIC_NOTE],
+        });
+    }
+    return surfaces.sort((a, b) => a.entrypoint.localeCompare(b.entrypoint) || a.kind.localeCompare(b.kind));
+}
+export function chromeExtensionRiskSignalsForManifest(content) {
+    const manifest = parseJsonObject(content);
+    if (!manifest || !isBrowserExtensionManifest(manifest)) {
+        return [];
+    }
+    const permissions = [
+        ...asStringArray(manifest.permissions),
+        ...asStringArray(manifest.optional_permissions),
+        ...asStringArray(manifest.host_permissions),
+    ];
+    return HIGH_RISK_PERMISSION_TOKENS.filter((token) => permissions.some((permission) => permission === token));
+}

package/dist/extractors/disposition.js

@@ -1,4 +1,4 @@
-import { isNodeModulesOrGit, isBuildOutput, isVendorPath, isBinaryArtifact, isLicensePath, isLockfilePath, isLogPath, isDocPath, isAuditArtifactPath, isGeneratedTestArtifactPath, isGeneratedInstallArtifactPath, isExamplesOrFixturesPath, normalizeExtractorPath, } from "./pathPatterns.js";
+import { isNodeModulesOrGit, isBuildOutput, isVendorPath, isBinaryArtifact, isLicensePath, isLockfilePath, isLogPath, isDocPath, isGeneratedPath, isAuditArtifactPath, isGeneratedTestArtifactPath, isGeneratedInstallArtifactPath, isExamplesOrFixturesPath, normalizeExtractorPath, } from "./pathPatterns.js";
 function inferDisposition(path) {
     const normalized = normalizeExtractorPath(path);
     if (isNodeModulesOrGit(normalized)) {
@@ -33,6 +33,13 @@ function inferDisposition(path) {
             reason: "Generated audit artifact.",
         };
     }
+    if (isGeneratedPath(normalized)) {
+        return {
+            path,
+            status: "generated",
+            reason: "Generated artifact path.",
+        };
+    }
     if (isGeneratedTestArtifactPath(normalized)) {
         return {
             path,

package/dist/extractors/fsIntake.js

@@ -11,6 +11,7 @@ const DEFAULT_IGNORES = [
     ".turbo",
     ".artifacts",
     ".audit-artifacts",
+    ".audit-code/install",
     ".agent",
     ".claude",
     "coverage",

package/dist/extractors/graph.js

@@ -2,6 +2,7 @@ import { readFile } from "node:fs/promises";
 import { isAbsolute, relative, resolve } from "node:path";
 import { posix } from "node:path";
 import { isAuditExcludedStatus } from "./disposition.js";
+import { extractChromeExtensionManifestEdges, extractHtmlResourceEdges, } from "./browserExtension.js";
 import { extractCargoWorkspaceMemberEdges, extractGoWorkspaceModuleEdges, extractMavenModuleEdges, extractPackageEntrypointEdges, extractPackageScriptEdges, extractPyprojectTestpathLinks, extractTypescriptProjectReferenceEdges, extractWorkspacePackageEdges, extractYamlPathReferenceEdges, isCargoManifestPath, isGoWorkspaceManifestPath, isMavenPomPath, isPyprojectPath, } from "./graphManifestEdges.js";
 import { graphEdge, graphLookupKey, normalizeGraphPath, resolveCandidate, } from "./graphPathUtils.js";
 import { isTestPath, normalizeExtractorPath } from "./pathPatterns.js";
@@ -10,6 +11,7 @@ const SOURCE_LANGUAGES = new Set([
     "typescript",
     "javascript",
     "json",
+    "html",
     "yaml",
     "python",
     "go",
@@ -27,6 +29,8 @@ const SOURCE_EXTENSIONS = [
     ".mjs",
     ".cjs",
     ".json",
+    ".html",
+    ".htm",
     ".yml",
     ".yaml",
     ".py",
@@ -1309,6 +1313,8 @@ export function buildGraphBundle(repoManifest, disposition, options = {}) {
             references.push(...extractReferenceEdges(file.path, content, pathLookup));
             references.push(...extractJsonSchemaReferenceEdges(file.path, content, pathLookup));
             references.push(...extractPackageEntrypointEdges(file.path, content, pathLookup));
+            references.push(...extractChromeExtensionManifestEdges(file.path, content, pathLookup));
+            references.push(...extractHtmlResourceEdges(file.path, content, pathLookup));
             references.push(...extractPackageScriptEdges(file.path, content, pathLookup));
             references.push(...extractWorkspacePackageEdges(file.path, content, pathLookup));
             references.push(...extractTypescriptProjectReferenceEdges(file.path, content, pathLookup));

package/dist/extractors/pathPatterns.js

@@ -10,6 +10,16 @@ const BINARY_EXTENSIONS = [
     ".jpg",
     ".jpeg",
     ".gif",
+    ".webp",
+    ".svg",
+    ".ico",
+    ".bmp",
+    ".avif",
+    ".wasm",
+    ".woff",
+    ".woff2",
+    ".ttf",
+    ".otf",
     ".pdf",
     ".zip",
 ];
@@ -216,7 +226,11 @@ export function isDeploymentConfigPath(normalized) {
     return hasToken(normalized, DEPLOYMENT_KEYWORDS) || endsWithAny(normalized, [".yml", ".yaml"]);
 }
 export function isGeneratedPath(normalized) {
-    return isVendorPath(normalized) || hasToken(normalized, ["generated", "autogenerated"]);
+    return (isVendorPath(normalized) ||
+        normalized.endsWith(".map") ||
+        normalized.endsWith(".wasm.mjs") ||
+        normalized.endsWith(".wasm.js") ||
+        hasToken(normalized, ["generated", "autogenerated"]));
 }
 export function isSurfacePath(normalized) {
     return (hasSegment(normalized, "api") ||

package/dist/extractors/surfaces.d.ts

@@ -1,8 +1,11 @@
 import type { RepoManifest } from "../types.js";
 import type { FileDisposition } from "../types/disposition.js";
+import type { GraphBundle } from "../types/graph.js";
 import type { SurfaceManifest } from "../types/surfaces.js";
 /**
  * Detects likely execution surfaces from file paths using the shared extractor
  * heuristics, primarily to seed later audit planning.
  */
-export declare function buildSurfaceManifest(repoManifest: RepoManifest, disposition?: FileDisposition): SurfaceManifest;
+export declare function buildSurfaceManifest(repoManifest: RepoManifest, disposition?: FileDisposition, options?: {
+    graphBundle?: GraphBundle;
+}): SurfaceManifest;

package/dist/extractors/surfaces.js

@@ -1,3 +1,4 @@
+import { buildBrowserExtensionSurfacesFromGraph } from "./browserExtension.js";
 import { isAuditExcludedStatus } from "./disposition.js";
 import { EXTRACTOR_HEURISTIC_NOTE, isBackgroundSurfacePath, isNetworkSurfacePath, isSurfacePath, normalizeExtractorPath, } from "./pathPatterns.js";
 function methodsForPath(path) {
@@ -11,9 +12,18 @@ function methodsForPath(path) {
  * Detects likely execution surfaces from file paths using the shared extractor
  * heuristics, primarily to seed later audit planning.
  */
-export function buildSurfaceManifest(repoManifest, disposition) {
+export function buildSurfaceManifest(repoManifest, disposition, options = {}) {
     const surfaces = [];
+    const seen = new Set();
     const dispositionMap = new Map(disposition?.files.map((item) => [item.path, item.status]) ?? []);
+    function addSurface(surface) {
+        const key = `${surface.kind}:${surface.entrypoint}`;
+        if (seen.has(key)) {
+            return;
+        }
+        seen.add(key);
+        surfaces.push(surface);
+    }
     for (const file of repoManifest.files) {
         const status = dispositionMap.get(file.path);
         if (status && isAuditExcludedStatus(status)) {
@@ -21,7 +31,7 @@ export function buildSurfaceManifest(repoManifest, disposition) {
         }
         const normalized = normalizeExtractorPath(file.path);
         if (isSurfacePath(normalized)) {
-            surfaces.push({
+            addSurface({
                 id: `surface:${file.path}`,
                 kind: isBackgroundSurfacePath(normalized) ? "background" : "interface",
                 entrypoint: file.path,
@@ -31,5 +41,8 @@ export function buildSurfaceManifest(repoManifest, disposition) {
             });
         }
     }
+    for (const surface of buildBrowserExtensionSurfacesFromGraph(options.graphBundle, disposition)) {
+        addSurface(surface);
+    }
     return { surfaces };
 }

package/dist/io/runArtifacts.js

@@ -10,6 +10,8 @@ const findingSchemaPath = join(packageRoot, "schemas", "finding.schema.json");
 const CURRENT_TASK_FILENAME = "current-task.json";
 const CURRENT_PROMPT_FILENAME = "current-prompt.md";
 const CURRENT_TASKS_FILENAME = "current-tasks.json";
+const CURRENT_SINGLE_TASK_FILENAME = "current-single-task.json";
+const CURRENT_SINGLE_TASK_PROMPT_FILENAME = "current-single-task-prompt.md";
 const CURRENT_SCHEMA_FILENAME = "audit-result.schema.json";
 const CURRENT_RESULTS_SCHEMA_FILENAME = "audit-results.schema.json";
 const CURRENT_FINDING_SCHEMA_FILENAME = "finding.schema.json";
@@ -63,6 +65,49 @@ async function writeDispatchSchemaFiles(artifactsDir) {
     await writeFile(join(dispatchDir, CURRENT_RESULTS_SCHEMA_FILENAME), await readFile(auditResultsSchemaPath, "utf8"), "utf8");
     await writeFile(join(dispatchDir, CURRENT_FINDING_SCHEMA_FILENAME), await readFile(findingSchemaPath, "utf8"), "utf8");
 }
+function renderSingleTaskFallbackPrompt(task, auditTask) {
+    const commandArgv = JSON.stringify(task.worker_command);
+    const lineCounts = auditTask.file_paths
+        .map((path) => `- ${path}: ${auditTask.file_line_counts?.[path] ?? 0} lines`)
+        .join("\n");
+    return [
+        "# audit-code single-task fallback",
+        "",
+        "Use this file only when the conversation host cannot dispatch subagents.",
+        "This prompt is generated deterministically from the first pending task.",
+        "",
+        `run_id: ${task.run_id}`,
+        `task_id: ${auditTask.task_id}`,
+        `unit_id: ${auditTask.unit_id}`,
+        `pass_id: ${auditTask.pass_id}`,
+        `lens: ${auditTask.lens}`,
+        `rationale: ${auditTask.rationale}`,
+        "",
+        "Assigned files and line counts:",
+        lineCounts,
+        "",
+        "Instructions:",
+        "1. Read only the assigned files above.",
+        "2. Produce exactly one AuditResult object for task_id above, wrapped in a JSON array.",
+        "3. Write that JSON array to audit_results_path.",
+        "4. Run worker_command exactly, then stop without checking audit state or reading a report.",
+        "",
+        `audit_results_path: ${task.audit_results_path}`,
+        `worker_command: ${commandArgv}`,
+        "",
+    ].join("\n");
+}
+async function writeSingleTaskFallbackFiles(artifactsDir, task, currentTasks) {
+    if (task.preferred_executor !== "agent" ||
+        !task.audit_results_path ||
+        !currentTasks ||
+        currentTasks.length === 0) {
+        return;
+    }
+    const firstTask = currentTasks[0];
+    await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_SINGLE_TASK_FILENAME), firstTask);
+    await writeFile(join(artifactsDir, "dispatch", CURRENT_SINGLE_TASK_PROMPT_FILENAME), renderSingleTaskFallbackPrompt(task, firstTask), "utf8");
+}
 export async function writeWorkerTaskFiles(task, prompt, paths, artifactsDir, currentTasks, options = {}) {
     await mkdir(paths.runDir, { recursive: true });
     await writeJsonFile(paths.taskPath, task);
@@ -78,6 +123,7 @@ export async function writeWorkerTaskFiles(task, prompt, paths, artifactsDir, cu
     await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASK_FILENAME), task);
     await writeFile(join(artifactsDir, "dispatch", CURRENT_PROMPT_FILENAME), prompt, "utf8");
     await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASKS_FILENAME), currentTasks ?? []);
+    await writeSingleTaskFallbackFiles(artifactsDir, task, currentTasks);
     await writeDispatchSchemaFiles(artifactsDir);
 }
 export async function writeDispatchBatchFiles(artifactsDir, runs, currentTasks) {
@@ -121,6 +167,8 @@ export async function clearDispatchFiles(artifactsDir) {
         CURRENT_TASK_FILENAME,
         CURRENT_PROMPT_FILENAME,
         CURRENT_TASKS_FILENAME,
+        CURRENT_SINGLE_TASK_FILENAME,
+        CURRENT_SINGLE_TASK_PROMPT_FILENAME,
         CURRENT_SCHEMA_FILENAME,
         CURRENT_RESULTS_SCHEMA_FILENAME,
         CURRENT_FINDING_SCHEMA_FILENAME,

package/dist/orchestrator/autoFixExecutor.js

@@ -1,3 +1,4 @@
+import { existsSync, readFileSync } from "node:fs";
 import { join } from "node:path";
 import { isAuditExcludedStatus } from "../extractors/disposition.js";
 import { resolveNodeTool, runFirstAvailableCommand, } from "./localCommands.js";
@@ -5,6 +6,35 @@ function tryRunConfiguredFormatter(root, candidates) {
     const result = runFirstAvailableCommand(root, candidates);
     return result !== null && !result.error && result.exitCode === 0;
 }
+const PRETTIER_CONFIG_FILES = [
+    ".prettierrc",
+    ".prettierrc.json",
+    ".prettierrc.yml",
+    ".prettierrc.yaml",
+    ".prettierrc.json5",
+    ".prettierrc.js",
+    ".prettierrc.cjs",
+    ".prettierrc.mjs",
+    "prettier.config.js",
+    "prettier.config.cjs",
+    "prettier.config.mjs",
+];
+function hasPrettierConfig(root) {
+    if (PRETTIER_CONFIG_FILES.some((file) => existsSync(join(root, file)))) {
+        return true;
+    }
+    const packageJsonPath = join(root, "package.json");
+    if (!existsSync(packageJsonPath)) {
+        return false;
+    }
+    try {
+        const packageJson = JSON.parse(readFileSync(packageJsonPath, "utf8"));
+        return packageJson.prettier !== undefined;
+    }
+    catch {
+        return false;
+    }
+}
 export function runAutoFixExecutor(bundle, root) {
     if (!bundle.file_disposition) {
         throw new Error("Cannot run auto fix executor without file_disposition");
@@ -20,16 +50,17 @@ export function runAutoFixExecutor(bundle, root) {
     }
     const executedTools = [];
     // JS, TS, HTML, CSS, JSON, YAML, MD
-    if (extensions.has("ts") ||
-        extensions.has("js") ||
-        extensions.has("tsx") ||
-        extensions.has("jsx") ||
-        extensions.has("html") ||
-        extensions.has("css") ||
-        extensions.has("json") ||
-        extensions.has("yml") ||
-        extensions.has("yaml") ||
-        extensions.has("md")) {
+    if (hasPrettierConfig(root) &&
+        (extensions.has("ts") ||
+            extensions.has("js") ||
+            extensions.has("tsx") ||
+            extensions.has("jsx") ||
+            extensions.has("html") ||
+            extensions.has("css") ||
+            extensions.has("json") ||
+            extensions.has("yml") ||
+            extensions.has("yaml") ||
+            extensions.has("md"))) {
         if (tryRunConfiguredFormatter(root, [
             ...resolveNodeTool(root, join("node_modules", "prettier", "bin", "prettier.cjs"), ["--write", "."], "prettier --write ."),
             { command: "prettier", args: ["--write", "."], display: "prettier --write ." },