auditor-lambda 0.3.20 → 0.3.21

package/README.md

@@ -51,11 +51,11 @@ The explicit repair and compatibility setup path remains:
 audit-code install
 ```
 
-That bootstraps repo-local `/audit-code` surfaces for the hosts we can automate today, including:
+That bootstraps repo-local supporting surfaces for the hosts we can automate today, including:
 
 - Codex `AGENTS.md` fallback guidance for the global skill surface
 - Claude Desktop local MCP bundle artifacts and project template guidance
-- OpenCode `opencode.json` with the `/audit-code` slash command and auditor MCP server
+- OpenCode `opencode.json` with auditor MCP server and permission wiring; the `/audit-code` command stays in the global npm-installed OpenCode config
 - VS Code prompt, custom agent, Copilot instructions, and `.vscode/mcp.json`
 - Antigravity planning-mode guidance plus the shared repo-local MCP launcher
 
@@ -130,6 +130,16 @@ For one bounded debug step instead of run-to-completion:
 audit-code --single-step
 ```
 
+For the conversation step engine used by `/audit-code`:
+
+```bash
+audit-code next-step
+```
+
+This writes `.audit-artifacts/steps/current-step.json` and
+`.audit-artifacts/steps/current-prompt.md`; hosts should follow only the
+returned step prompt.
+
 For an operator-side artifact consistency check:
 
 ```bash

package/audit-code-wrapper-lib.mjs

@@ -258,6 +258,7 @@ function printHelp({ usageName, preferredEntrypoint }) {
     '- verify-install smoke-tests the generated host assets and repo-local MCP launchers after install',
     '- mcp starts the local stdio MCP server for repo-local IDE integrations',
     '- install-host --host copilot keeps the narrower Copilot-focused install path available',
+    '- next-step advances deterministic audit state and writes .audit-artifacts/steps/current-step.json plus current-prompt.md',
     '- validate checks the current artifact bundle plus session-config/provider readiness and exits non-zero when issues exist',
     '- validate-results --results FILE validates AuditResult payloads against the active task manifest without ingesting them',
     '- explain-task <task_id> prints the resolved file coverage and current status for a task id',
@@ -547,6 +548,11 @@ const OPENCODE_AUDIT_BASH_PERMISSION = {
   'audit-code cleanup*': 'deny',
   'audit-code requeue*': 'deny',
   'audit-code ingest-results*': 'deny',
+  '*dist*index.js* run-to-completion*': 'deny',
+  '*dist*index.js* synthesize*': 'deny',
+  '*dist*index.js* cleanup*': 'deny',
+  '*dist*index.js* requeue*': 'deny',
+  '*dist*index.js* ingest-results*': 'deny',
   '*audit-code.mjs* run-to-completion*': 'deny',
   '*audit-code.mjs* synthesize*': 'deny',
   '*audit-code.mjs* cleanup*': 'deny',
@@ -554,48 +560,56 @@ const OPENCODE_AUDIT_BASH_PERMISSION = {
   '*audit-code.mjs* ingest-results*': 'deny',
   'audit-code': 'allow',
   'audit-code ensure*': 'allow',
+  'audit-code next-step*': 'allow',
   'audit-code prepare-dispatch*': 'allow',
   'audit-code submit-packet*': 'allow',
   'audit-code merge-and-ingest*': 'allow',
   'audit-code validate*': 'allow',
   '*audit-code.mjs': 'allow',
   '*audit-code.mjs* ensure*': 'allow',
+  '*audit-code.mjs* next-step*': 'allow',
   '*audit-code.mjs* prepare-dispatch*': 'allow',
   '*audit-code.mjs* submit-packet*': 'allow',
   '*audit-code.mjs* merge-and-ingest*': 'allow',
   '*audit-code.mjs* worker-run*': 'allow',
   '*audit-code.mjs* validate*': 'allow',
+  '*node* *auditor-lambda*dist*index.js* worker-run*': 'allow',
   'node* .audit-code/install/run-mcp-server.mjs*': 'allow',
   'node* ./.audit-code/install/run-mcp-server.mjs*': 'allow',
   'git status*': 'allow',
   'git diff*': 'allow',
   'grep *': 'allow',
+  'Select-String *': 'allow',
   'rm *': 'deny',
 };
 
+function externalDirectoryPattern(path) {
+  return `${replaceBackslashes(path).replace(/\/+$/u, '')}/**`;
+}
+
+function renderOpenCodeExternalDirectoryPermission() {
+  return {
+    [externalDirectoryPattern(repoRoot)]: 'allow',
+    [externalDirectoryPattern(dirname(process.execPath))]: 'allow',
+  };
+}
+
 function renderOpenCodePermissionConfig() {
   return {
     read: 'allow',
     glob: 'allow',
     grep: 'allow',
+    external_directory: renderOpenCodeExternalDirectoryPermission(),
     edit: { ...OPENCODE_AUDIT_EDIT_PERMISSION },
     bash: { ...OPENCODE_AUDIT_BASH_PERMISSION },
   };
 }
 
-function renderOpenCodeProjectConfig(root, promptBody) {
+function renderOpenCodeProjectConfig(root) {
   const launcher = replaceBackslashes(toRepoRelativePath(root, join(root, '.audit-code', 'install', MCP_LAUNCHER_FILENAME)));
   const auditPermission = renderOpenCodePermissionConfig();
   return {
     $schema: 'https://opencode.ai/config.json',
-    command: {
-      'audit-code': {
-        template: promptBody.trimStart(),
-        description: 'Autonomous local loop code auditing',
-        agent: 'auditor',
-        subtask: false,
-      },
-    },
     mcp: {
       auditor: {
         type: 'local',
@@ -613,8 +627,7 @@ function renderOpenCodeProjectConfig(root, promptBody) {
           'auditor*': true,
         },
         permission: {
-          edit: { ...OPENCODE_AUDIT_EDIT_PERMISSION },
-          bash: { ...OPENCODE_AUDIT_BASH_PERMISSION },
+          ...auditPermission,
           question: 'allow',
         },
       },
@@ -679,6 +692,14 @@ function mergeOpenCodePermissionConfig(existingPermission, generatedPermission)
   return {
     ...generatedPermission,
     ...existingPermission,
+    read: generatedPermission.read,
+    glob: generatedPermission.glob,
+    grep: generatedPermission.grep,
+    external_directory: mergeOpenCodePermissionRule(
+      existingPermission.external_directory,
+      generatedPermission.external_directory,
+      generatedPermission.external_directory,
+    ),
     edit: mergeOpenCodePermissionRule(
       existingPermission.edit,
       generatedPermission.edit,
@@ -692,7 +713,27 @@ function mergeOpenCodePermissionConfig(existingPermission, generatedPermission)
   };
 }
 
+function removeManagedOpenCodeCommand(commandConfig) {
+  const command = objectValue(commandConfig);
+  const { 'audit-code': _managedAuditCodeCommand, ...remaining } = command;
+  return remaining;
+}
+
 function assertOpenCodeAuditPermissionConfig(permissionConfig, label) {
+  for (const tool of ['read', 'glob', 'grep']) {
+    if (permissionConfig?.[tool] !== 'allow') {
+      throw new Error(`OpenCode ${label}.${tool} must be allow. Run "audit-code install --host opencode".`);
+    }
+  }
+  const externalDirectory = permissionConfig?.external_directory;
+  if (!externalDirectory || typeof externalDirectory !== 'object' || Array.isArray(externalDirectory)) {
+    throw new Error(`OpenCode ${label}.external_directory must allow audit package paths. Run "audit-code install --host opencode".`);
+  }
+  for (const pattern of Object.keys(renderOpenCodeExternalDirectoryPermission())) {
+    if (externalDirectory[pattern] !== 'allow') {
+      throw new Error(`OpenCode ${label}.external_directory must allow ${pattern}. Run "audit-code install --host opencode".`);
+    }
+  }
   const edit = permissionConfig?.edit;
   const bash = permissionConfig?.bash;
   if (!edit || typeof edit !== 'object' || Array.isArray(edit)) {
@@ -709,13 +750,18 @@ function assertOpenCodeAuditPermissionConfig(permissionConfig, label) {
   for (const pattern of [
     'audit-code',
     'audit-code ensure*',
+    'audit-code next-step*',
     'audit-code prepare-dispatch*',
     'audit-code submit-packet*',
     'audit-code merge-and-ingest*',
     '*audit-code.mjs',
+    '*audit-code.mjs* next-step*',
     '*audit-code.mjs* submit-packet*',
     '*audit-code.mjs* merge-and-ingest*',
+    '*audit-code.mjs* worker-run*',
+    '*node* *auditor-lambda*dist*index.js* worker-run*',
     'node* .audit-code/install/run-mcp-server.mjs*',
+    'Select-String *',
   ]) {
     if (bash[pattern] !== 'allow') {
       throw new Error(`OpenCode ${label}.bash must allow ${pattern}. Run "audit-code install --host opencode".`);
@@ -724,8 +770,19 @@ function assertOpenCodeAuditPermissionConfig(permissionConfig, label) {
   for (const pattern of [
     'audit-code run-to-completion*',
     'audit-code synthesize*',
+    'audit-code cleanup*',
+    'audit-code requeue*',
+    'audit-code ingest-results*',
+    '*dist*index.js* run-to-completion*',
+    '*dist*index.js* synthesize*',
+    '*dist*index.js* cleanup*',
+    '*dist*index.js* requeue*',
+    '*dist*index.js* ingest-results*',
     '*audit-code.mjs* run-to-completion*',
     '*audit-code.mjs* synthesize*',
+    '*audit-code.mjs* cleanup*',
+    '*audit-code.mjs* requeue*',
+    '*audit-code.mjs* ingest-results*',
   ]) {
     if (bash[pattern] !== 'deny') {
       throw new Error(`OpenCode ${label}.bash must deny ${pattern}. Run "audit-code install --host opencode".`);
@@ -733,15 +790,12 @@ function assertOpenCodeAuditPermissionConfig(permissionConfig, label) {
   }
 }
 
-function buildMergedOpenCodeProjectConfig(existing, root, promptBody) {
-  const generated = renderOpenCodeProjectConfig(root, promptBody);
+function buildMergedOpenCodeProjectConfig(existing, root) {
+  const generated = renderOpenCodeProjectConfig(root);
   return {
     ...existing,
     $schema: existing.$schema ?? generated.$schema,
-    command: {
-      ...objectValue(existing.command),
-      'audit-code': generated.command['audit-code'],
-    },
+    command: removeManagedOpenCodeCommand(existing.command),
     mcp: {
       ...objectValue(existing.mcp),
       auditor: generated.mcp.auditor,
@@ -1224,9 +1278,9 @@ const INSTALL_HOST_DEFINITIONS = {
     host: 'opencode',
     label: 'OpenCode',
     support_level: 'supported',
-    setup_kind: 'command+agent+mcp',
+    setup_kind: 'global-command+project-mcp',
     summary:
-      'Use the generated `opencode.json` so the `/audit-code` slash command and the local auditor MCP server are both available.',
+      'Use the global OpenCode `/audit-code` command installed by npm plus generated project MCP and permission wiring.',
     primary_path_key: 'opencodeConfigPath',
     supporting_path_keys: [
       'agentsInstructionsPath',
@@ -1234,8 +1288,8 @@ const INSTALL_HOST_DEFINITIONS = {
     ],
     steps: [
       'Open this repository in OpenCode.',
-      'Let OpenCode load the generated `opencode.json` — it registers the `/audit-code` slash command and the auditor MCP server.',
-      'Invoke `/audit-code` and keep the audit loop on the auditor MCP tools.',
+      'Use the global `/audit-code` command installed by `npm install -g auditor-lambda`.',
+      'Let OpenCode load the generated `opencode.json` for the auditor MCP server and project permissions only.',
     ],
     profile: {
       writeOpenCode: true,
@@ -1944,18 +1998,13 @@ async function verifyInstalledBootstrap(argv) {
           if (config?.mcp?.auditor?.type !== 'local') {
             throw new Error(`OpenCode config must set mcp.auditor.type to "local", got ${config?.mcp?.auditor?.type ?? 'missing'}.`);
           }
-          const commandConfig = config?.command?.['audit-code'];
-          if (!commandConfig?.template) {
-            throw new Error('OpenCode config is missing command["audit-code"].template — the /audit-code slash command will not surface. Run "audit-code install".');
-          }
-          const { body: sourceBody } = splitFrontmatter(await readFile(promptAssetPath, 'utf8'));
-          if (commandConfig.template !== sourceBody.trimStart()) {
-            throw new Error('OpenCode config command["audit-code"].template is out of sync with the source prompt. Run "audit-code install".');
+          if (config?.command?.['audit-code']) {
+            throw new Error('OpenCode project config must not define command["audit-code"]; the slash command is global npm-installed state. Run "audit-code install --host opencode" to remove the stale local command.');
           }
           assertOpenCodeAuditPermissionConfig(config?.permission, 'permission');
           assertOpenCodeAuditPermissionConfig(config?.agent?.auditor?.permission, 'agent.auditor.permission');
           return {
-            summary: 'OpenCode project config has MCP server, /audit-code slash command, and audit permissions.',
+            summary: 'OpenCode project config has MCP server and audit permissions; /audit-code is supplied by the global npm-installed OpenCode command.',
             path: assetPaths.opencodeConfigPath,
           };
         });
@@ -2130,8 +2179,8 @@ async function detectBootstrapRefreshReason(root, host) {
       }
       case 'opencode': {
         const opencodeConfig = await readJson(assetPaths.opencodeConfigPath, 'OpenCode config').catch(() => null);
-        if (opencodeConfig?.command?.['audit-code']?.template !== sourcePromptBody.trimStart()) {
-          return 'stale_host_asset:opencode:config_command';
+        if (opencodeConfig?.command?.['audit-code']) {
+          return 'stale_host_asset:opencode:local_command';
         }
         try {
           assertOpenCodeAuditPermissionConfig(opencodeConfig?.permission, 'permission');
@@ -2398,7 +2447,7 @@ async function installBootstrap(argv, options = {}) {
       await writeMergedGeneratedJson(
         assetPaths.opencodeConfigPath,
         'OpenCode project config',
-        (existing) => buildMergedOpenCodeProjectConfig(existing, root, promptBody),
+        (existing) => buildMergedOpenCodeProjectConfig(existing, root),
       ),
     );
   }
@@ -2621,6 +2670,11 @@ export async function runAuditCodeWrapper({
     return;
   }
 
+  if (argv[0] === 'next-step') {
+    await runDistCommand('next-step', argv.slice(1), { ensureArtifactsDir: true });
+    return;
+  }
+
   if (argv[0] === 'prepare-dispatch') {
     await runDistCommand('prepare-dispatch', argv.slice(1));
     return;