auditor-lambda 0.3.19 → 0.3.21

package/README.md

@@ -30,8 +30,9 @@ npm install -g auditor-lambda
 
 That makes `audit-code` available on `PATH`. During package install, the package
 also writes user-level command/skill assets for hosts we can seed safely, including
-the Claude command file, the global Codex skill bundle, and the global OpenCode
-slash command entry in `~/.config/opencode/opencode.json`.
+the Claude command file, the global Codex skill bundle with `audit-code` display
+metadata, and the global OpenCode slash command entry in
+`~/.config/opencode/opencode.json`.
 
 After that, invoke `/audit-code` in a supported host. The prompt self-bootstraps
 the current repository by running:
@@ -50,11 +51,11 @@ The explicit repair and compatibility setup path remains:
 audit-code install
 ```
 
-That bootstraps repo-local `/audit-code` surfaces for the hosts we can automate today, including:
+That bootstraps repo-local supporting surfaces for the hosts we can automate today, including:
 
 - Codex `AGENTS.md` fallback guidance for the global skill surface
 - Claude Desktop local MCP bundle artifacts and project template guidance
-- OpenCode `opencode.json` with the `/audit-code` slash command and auditor MCP server
+- OpenCode `opencode.json` with auditor MCP server and permission wiring; the `/audit-code` command stays in the global npm-installed OpenCode config
 - VS Code prompt, custom agent, Copilot instructions, and `.vscode/mcp.json`
 - Antigravity planning-mode guidance plus the shared repo-local MCP launcher
 
@@ -129,6 +130,16 @@ For one bounded debug step instead of run-to-completion:
 audit-code --single-step
 ```
 
+For the conversation step engine used by `/audit-code`:
+
+```bash
+audit-code next-step
+```
+
+This writes `.audit-artifacts/steps/current-step.json` and
+`.audit-artifacts/steps/current-prompt.md`; hosts should follow only the
+returned step prompt.
+
 For an operator-side artifact consistency check:
 
 ```bash

package/audit-code-wrapper-lib.mjs

@@ -258,6 +258,7 @@ function printHelp({ usageName, preferredEntrypoint }) {
     '- verify-install smoke-tests the generated host assets and repo-local MCP launchers after install',
     '- mcp starts the local stdio MCP server for repo-local IDE integrations',
     '- install-host --host copilot keeps the narrower Copilot-focused install path available',
+    '- next-step advances deterministic audit state and writes .audit-artifacts/steps/current-step.json plus current-prompt.md',
     '- validate checks the current artifact bundle plus session-config/provider readiness and exits non-zero when issues exist',
     '- validate-results --results FILE validates AuditResult payloads against the active task manifest without ingesting them',
     '- explain-task <task_id> prints the resolved file coverage and current status for a task id',
@@ -533,18 +534,82 @@ function renderCodexAutomationRecipe() {
   ].join('\n');
 }
 
-function renderOpenCodeProjectConfig(root, promptBody) {
+const OPENCODE_AUDIT_EDIT_PERMISSION = {
+  '*': 'ask',
+  '.audit-code/**': 'allow',
+  '.audit-artifacts/**': 'allow',
+  'audit-report.md': 'allow',
+};
+
+const OPENCODE_AUDIT_BASH_PERMISSION = {
+  '*': 'ask',
+  'audit-code run-to-completion*': 'deny',
+  'audit-code synthesize*': 'deny',
+  'audit-code cleanup*': 'deny',
+  'audit-code requeue*': 'deny',
+  'audit-code ingest-results*': 'deny',
+  '*dist*index.js* run-to-completion*': 'deny',
+  '*dist*index.js* synthesize*': 'deny',
+  '*dist*index.js* cleanup*': 'deny',
+  '*dist*index.js* requeue*': 'deny',
+  '*dist*index.js* ingest-results*': 'deny',
+  '*audit-code.mjs* run-to-completion*': 'deny',
+  '*audit-code.mjs* synthesize*': 'deny',
+  '*audit-code.mjs* cleanup*': 'deny',
+  '*audit-code.mjs* requeue*': 'deny',
+  '*audit-code.mjs* ingest-results*': 'deny',
+  'audit-code': 'allow',
+  'audit-code ensure*': 'allow',
+  'audit-code next-step*': 'allow',
+  'audit-code prepare-dispatch*': 'allow',
+  'audit-code submit-packet*': 'allow',
+  'audit-code merge-and-ingest*': 'allow',
+  'audit-code validate*': 'allow',
+  '*audit-code.mjs': 'allow',
+  '*audit-code.mjs* ensure*': 'allow',
+  '*audit-code.mjs* next-step*': 'allow',
+  '*audit-code.mjs* prepare-dispatch*': 'allow',
+  '*audit-code.mjs* submit-packet*': 'allow',
+  '*audit-code.mjs* merge-and-ingest*': 'allow',
+  '*audit-code.mjs* worker-run*': 'allow',
+  '*audit-code.mjs* validate*': 'allow',
+  '*node* *auditor-lambda*dist*index.js* worker-run*': 'allow',
+  'node* .audit-code/install/run-mcp-server.mjs*': 'allow',
+  'node* ./.audit-code/install/run-mcp-server.mjs*': 'allow',
+  'git status*': 'allow',
+  'git diff*': 'allow',
+  'grep *': 'allow',
+  'Select-String *': 'allow',
+  'rm *': 'deny',
+};
+
+function externalDirectoryPattern(path) {
+  return `${replaceBackslashes(path).replace(/\/+$/u, '')}/**`;
+}
+
+function renderOpenCodeExternalDirectoryPermission() {
+  return {
+    [externalDirectoryPattern(repoRoot)]: 'allow',
+    [externalDirectoryPattern(dirname(process.execPath))]: 'allow',
+  };
+}
+
+function renderOpenCodePermissionConfig() {
+  return {
+    read: 'allow',
+    glob: 'allow',
+    grep: 'allow',
+    external_directory: renderOpenCodeExternalDirectoryPermission(),
+    edit: { ...OPENCODE_AUDIT_EDIT_PERMISSION },
+    bash: { ...OPENCODE_AUDIT_BASH_PERMISSION },
+  };
+}
+
+function renderOpenCodeProjectConfig(root) {
   const launcher = replaceBackslashes(toRepoRelativePath(root, join(root, '.audit-code', 'install', MCP_LAUNCHER_FILENAME)));
+  const auditPermission = renderOpenCodePermissionConfig();
   return {
     $schema: 'https://opencode.ai/config.json',
-    command: {
-      'audit-code': {
-        template: promptBody.trimStart(),
-        description: 'Autonomous local loop code auditing',
-        agent: 'auditor',
-        subtask: false,
-      },
-    },
     mcp: {
       auditor: {
         type: 'local',
@@ -553,19 +618,7 @@ function renderOpenCodeProjectConfig(root, promptBody) {
         timeout: 10000,
       },
     },
-    permission: {
-      read: 'allow',
-      glob: 'allow',
-      grep: 'allow',
-      edit: 'ask',
-      bash: {
-        '*': 'ask',
-        'git status*': 'allow',
-        'git diff*': 'allow',
-        'grep *': 'allow',
-        'rm *': 'deny',
-      },
-    },
+    permission: auditPermission,
     agent: {
       auditor: {
         description:
@@ -574,14 +627,7 @@ function renderOpenCodeProjectConfig(root, promptBody) {
           'auditor*': true,
         },
         permission: {
-          edit: 'ask',
-          bash: {
-            '*': 'ask',
-            'git status*': 'allow',
-            'git diff*': 'allow',
-            'grep *': 'allow',
-            'rm *': 'deny',
-          },
+          ...auditPermission,
           question: 'allow',
         },
       },
@@ -607,26 +653,164 @@ function objectValue(value) {
     : {};
 }
 
-function buildMergedOpenCodeProjectConfig(existing, root, promptBody) {
-  const generated = renderOpenCodeProjectConfig(root, promptBody);
+function mergeOpenCodePermissionRule(existingRule, generatedRule, managedRules = {}) {
+  if (generatedRule && typeof generatedRule === 'object' && !Array.isArray(generatedRule)) {
+    const generatedObject = generatedRule;
+    const merged = {};
+    const existingObject =
+      existingRule && typeof existingRule === 'object' && !Array.isArray(existingRule)
+        ? existingRule
+        : {};
+
+    if (typeof existingRule === 'string') {
+      merged['*'] = existingRule;
+    } else {
+      merged['*'] = existingObject['*'] ?? generatedObject['*'] ?? 'ask';
+    }
+
+    for (const [key, value] of Object.entries(generatedObject)) {
+      if (key !== '*') merged[key] = value;
+    }
+    for (const [key, value] of Object.entries(existingObject)) {
+      if (key !== '*') merged[key] = value;
+    }
+    for (const [key, value] of Object.entries(managedRules)) {
+      merged[key] = value;
+    }
+
+    return merged;
+  }
+
+  return existingRule ?? generatedRule;
+}
+
+function mergeOpenCodePermissionConfig(existingPermission, generatedPermission) {
+  if (!existingPermission || typeof existingPermission !== 'object' || Array.isArray(existingPermission)) {
+    return generatedPermission;
+  }
+
+  return {
+    ...generatedPermission,
+    ...existingPermission,
+    read: generatedPermission.read,
+    glob: generatedPermission.glob,
+    grep: generatedPermission.grep,
+    external_directory: mergeOpenCodePermissionRule(
+      existingPermission.external_directory,
+      generatedPermission.external_directory,
+      generatedPermission.external_directory,
+    ),
+    edit: mergeOpenCodePermissionRule(
+      existingPermission.edit,
+      generatedPermission.edit,
+      OPENCODE_AUDIT_EDIT_PERMISSION,
+    ),
+    bash: mergeOpenCodePermissionRule(
+      existingPermission.bash,
+      generatedPermission.bash,
+      OPENCODE_AUDIT_BASH_PERMISSION,
+    ),
+  };
+}
+
+function removeManagedOpenCodeCommand(commandConfig) {
+  const command = objectValue(commandConfig);
+  const { 'audit-code': _managedAuditCodeCommand, ...remaining } = command;
+  return remaining;
+}
+
+function assertOpenCodeAuditPermissionConfig(permissionConfig, label) {
+  for (const tool of ['read', 'glob', 'grep']) {
+    if (permissionConfig?.[tool] !== 'allow') {
+      throw new Error(`OpenCode ${label}.${tool} must be allow. Run "audit-code install --host opencode".`);
+    }
+  }
+  const externalDirectory = permissionConfig?.external_directory;
+  if (!externalDirectory || typeof externalDirectory !== 'object' || Array.isArray(externalDirectory)) {
+    throw new Error(`OpenCode ${label}.external_directory must allow audit package paths. Run "audit-code install --host opencode".`);
+  }
+  for (const pattern of Object.keys(renderOpenCodeExternalDirectoryPermission())) {
+    if (externalDirectory[pattern] !== 'allow') {
+      throw new Error(`OpenCode ${label}.external_directory must allow ${pattern}. Run "audit-code install --host opencode".`);
+    }
+  }
+  const edit = permissionConfig?.edit;
+  const bash = permissionConfig?.bash;
+  if (!edit || typeof edit !== 'object' || Array.isArray(edit)) {
+    throw new Error(`OpenCode ${label}.edit must allow audit-owned file paths. Run "audit-code install --host opencode".`);
+  }
+  for (const pattern of ['.audit-code/**', '.audit-artifacts/**', 'audit-report.md']) {
+    if (edit[pattern] !== 'allow') {
+      throw new Error(`OpenCode ${label}.edit must allow ${pattern}. Run "audit-code install --host opencode".`);
+    }
+  }
+  if (!bash || typeof bash !== 'object' || Array.isArray(bash)) {
+    throw new Error(`OpenCode ${label}.bash must allow audit-code commands. Run "audit-code install --host opencode".`);
+  }
+  for (const pattern of [
+    'audit-code',
+    'audit-code ensure*',
+    'audit-code next-step*',
+    'audit-code prepare-dispatch*',
+    'audit-code submit-packet*',
+    'audit-code merge-and-ingest*',
+    '*audit-code.mjs',
+    '*audit-code.mjs* next-step*',
+    '*audit-code.mjs* submit-packet*',
+    '*audit-code.mjs* merge-and-ingest*',
+    '*audit-code.mjs* worker-run*',
+    '*node* *auditor-lambda*dist*index.js* worker-run*',
+    'node* .audit-code/install/run-mcp-server.mjs*',
+    'Select-String *',
+  ]) {
+    if (bash[pattern] !== 'allow') {
+      throw new Error(`OpenCode ${label}.bash must allow ${pattern}. Run "audit-code install --host opencode".`);
+    }
+  }
+  for (const pattern of [
+    'audit-code run-to-completion*',
+    'audit-code synthesize*',
+    'audit-code cleanup*',
+    'audit-code requeue*',
+    'audit-code ingest-results*',
+    '*dist*index.js* run-to-completion*',
+    '*dist*index.js* synthesize*',
+    '*dist*index.js* cleanup*',
+    '*dist*index.js* requeue*',
+    '*dist*index.js* ingest-results*',
+    '*audit-code.mjs* run-to-completion*',
+    '*audit-code.mjs* synthesize*',
+    '*audit-code.mjs* cleanup*',
+    '*audit-code.mjs* requeue*',
+    '*audit-code.mjs* ingest-results*',
+  ]) {
+    if (bash[pattern] !== 'deny') {
+      throw new Error(`OpenCode ${label}.bash must deny ${pattern}. Run "audit-code install --host opencode".`);
+    }
+  }
+}
+
+function buildMergedOpenCodeProjectConfig(existing, root) {
+  const generated = renderOpenCodeProjectConfig(root);
   return {
     ...existing,
     $schema: existing.$schema ?? generated.$schema,
-    command: {
-      ...objectValue(existing.command),
-      'audit-code': generated.command['audit-code'],
-    },
+    command: removeManagedOpenCodeCommand(existing.command),
     mcp: {
       ...objectValue(existing.mcp),
       auditor: generated.mcp.auditor,
     },
-    permission:
-      existing.permission && typeof existing.permission === 'object' && !Array.isArray(existing.permission)
-        ? existing.permission
-        : generated.permission,
+    permission: mergeOpenCodePermissionConfig(existing.permission, generated.permission),
     agent: {
       ...objectValue(existing.agent),
-      auditor: generated.agent.auditor,
+      auditor: {
+        ...objectValue(objectValue(existing.agent).auditor),
+        ...generated.agent.auditor,
+        permission: mergeOpenCodePermissionConfig(
+          objectValue(objectValue(existing.agent).auditor).permission,
+          generated.agent.auditor.permission,
+        ),
+      },
     },
   };
 }
@@ -1094,9 +1278,9 @@ const INSTALL_HOST_DEFINITIONS = {
     host: 'opencode',
     label: 'OpenCode',
     support_level: 'supported',
-    setup_kind: 'command+agent+mcp',
+    setup_kind: 'global-command+project-mcp',
     summary:
-      'Use the generated `opencode.json` so the `/audit-code` slash command and the local auditor MCP server are both available.',
+      'Use the global OpenCode `/audit-code` command installed by npm plus generated project MCP and permission wiring.',
     primary_path_key: 'opencodeConfigPath',
     supporting_path_keys: [
       'agentsInstructionsPath',
@@ -1104,8 +1288,8 @@ const INSTALL_HOST_DEFINITIONS = {
     ],
     steps: [
       'Open this repository in OpenCode.',
-      'Let OpenCode load the generated `opencode.json` — it registers the `/audit-code` slash command and the auditor MCP server.',
-      'Invoke `/audit-code` and keep the audit loop on the auditor MCP tools.',
+      'Use the global `/audit-code` command installed by `npm install -g auditor-lambda`.',
+      'Let OpenCode load the generated `opencode.json` for the auditor MCP server and project permissions only.',
     ],
     profile: {
       writeOpenCode: true,
@@ -1814,16 +1998,13 @@ async function verifyInstalledBootstrap(argv) {
           if (config?.mcp?.auditor?.type !== 'local') {
             throw new Error(`OpenCode config must set mcp.auditor.type to "local", got ${config?.mcp?.auditor?.type ?? 'missing'}.`);
           }
-          const commandConfig = config?.command?.['audit-code'];
-          if (!commandConfig?.template) {
-            throw new Error('OpenCode config is missing command["audit-code"].template — the /audit-code slash command will not surface. Run "audit-code install".');
-          }
-          const { body: sourceBody } = splitFrontmatter(await readFile(promptAssetPath, 'utf8'));
-          if (commandConfig.template !== sourceBody.trimStart()) {
-            throw new Error('OpenCode config command["audit-code"].template is out of sync with the source prompt. Run "audit-code install".');
+          if (config?.command?.['audit-code']) {
+            throw new Error('OpenCode project config must not define command["audit-code"]; the slash command is global npm-installed state. Run "audit-code install --host opencode" to remove the stale local command.');
           }
+          assertOpenCodeAuditPermissionConfig(config?.permission, 'permission');
+          assertOpenCodeAuditPermissionConfig(config?.agent?.auditor?.permission, 'agent.auditor.permission');
           return {
-            summary: 'OpenCode project config has MCP server and /audit-code slash command.',
+            summary: 'OpenCode project config has MCP server and audit permissions; /audit-code is supplied by the global npm-installed OpenCode command.',
             path: assetPaths.opencodeConfigPath,
           };
         });
@@ -1998,8 +2179,14 @@ async function detectBootstrapRefreshReason(root, host) {
       }
       case 'opencode': {
         const opencodeConfig = await readJson(assetPaths.opencodeConfigPath, 'OpenCode config').catch(() => null);
-        if (opencodeConfig?.command?.['audit-code']?.template !== sourcePromptBody.trimStart()) {
-          return 'stale_host_asset:opencode:config_command';
+        if (opencodeConfig?.command?.['audit-code']) {
+          return 'stale_host_asset:opencode:local_command';
+        }
+        try {
+          assertOpenCodeAuditPermissionConfig(opencodeConfig?.permission, 'permission');
+          assertOpenCodeAuditPermissionConfig(opencodeConfig?.agent?.auditor?.permission, 'agent.auditor.permission');
+        } catch {
+          return 'stale_host_asset:opencode:permissions';
         }
         if (await fileExists(join(root, '.opencode', 'commands', 'audit-code.md'))) {
           return 'stale_host_asset:opencode:legacy_command_file';
@@ -2260,7 +2447,7 @@ async function installBootstrap(argv, options = {}) {
       await writeMergedGeneratedJson(
         assetPaths.opencodeConfigPath,
         'OpenCode project config',
-        (existing) => buildMergedOpenCodeProjectConfig(existing, root, promptBody),
+        (existing) => buildMergedOpenCodeProjectConfig(existing, root),
       ),
     );
   }
@@ -2483,6 +2670,11 @@ export async function runAuditCodeWrapper({
     return;
   }
 
+  if (argv[0] === 'next-step') {
+    await runDistCommand('next-step', argv.slice(1), { ensureArtifactsDir: true });
+    return;
+  }
+
   if (argv[0] === 'prepare-dispatch') {
     await runDistCommand('prepare-dispatch', argv.slice(1));
     return;