auditor-lambda 0.3.23 → 0.3.24

package/audit-code-wrapper-lib.mjs

@@ -605,6 +605,19 @@ function renderOpenCodePermissionConfig() {
   };
 }
 
+const OPENCODE_MCP_COMMAND_TEMPLATE = [
+  '# audit-code',
+  '',
+  'Use the auditor MCP tools as the primary interface to the audit workflow.',
+  '',
+  '1. Call `auditor_start_audit` to initialize and receive the first step.',
+  '2. Read the `prompt_content` field in the response and follow the instructions there.',
+  '3. When a step completes (not blocked), call `auditor_continue_audit` to advance.',
+  '4. Stop when the step instructions say to stop.',
+  '',
+  'Do not run shell commands. Use only `auditor_*` MCP tools and the `task` tool for subagent dispatch.',
+].join('\n');
+
 function renderOpenCodeProjectConfig(root) {
   const launcher = replaceBackslashes(toRepoRelativePath(root, join(root, '.audit-code', 'install', MCP_LAUNCHER_FILENAME)));
   const auditPermission = renderOpenCodePermissionConfig();
@@ -625,10 +638,12 @@ function renderOpenCodeProjectConfig(root) {
           'Read-heavy audit orchestration agent for the /audit-code workflow.',
         tools: {
           'auditor*': true,
+          task: true,
         },
         permission: {
           ...auditPermission,
           question: 'allow',
+          task: 'allow',
         },
       },
     },

package/dist/cli.js

@@ -523,10 +523,21 @@ function renderCapabilityCheckPrompt(params) {
     return [
         "# audit-code capability check",
         "",
-        "Decide one thing from the active toolset: does this host expose a callable subagent/delegation tool for source-code review, such as Agent, Task, or an equivalent built-in subagent call?",
+        "Decide one thing from the active toolset: does this host expose a callable subagent/delegation tool for source-code review, such as `task`, Agent, or an equivalent built-in subagent call?",
         "",
         "Do not run shell commands to answer this. Do not inspect packet prompts, schemas, or backend command catalogs.",
         "",
+        "**If auditor MCP tools are available** (preferred — no shell required):",
+        "",
+        "Call `auditor_report_capability` with:",
+        "- `can_dispatch_subagents: true` if the `task` tool or equivalent subagent dispatch is available",
+        "- `can_dispatch_subagents: false` if not",
+        "- Optionally `can_restrict_subagent_tools: true` and/or `can_select_subagent_model: true`",
+        "",
+        "Read the `prompt_content` field in the tool response and follow it.",
+        "",
+        "**Fallback — if auditor MCP tools are not available:**",
+        "",
         "If callable subagents are available, run:",
         "",
         `  ${yesCommand}`,
@@ -550,30 +561,41 @@ function renderDispatchReviewPrompt(params) {
     const toolsLine = params.hostCanRestrictSubagentTools
         ? "Restrict review subagents to read/search plus the packet submit command named in their prompt. Do not give them source edit/write tools."
         : "Do not ask the user about per-subagent tool restrictions; this host did not report a callable restriction facility.";
-    const fileLines = params.dispatchQuotaPath
+    const runId = params.activeReviewRun.run_id;
+    const dispatchDataLines = params.dispatchQuotaPath
         ? [
-            "Dispatch is prepared. Read both of these files:",
+            "**If auditor MCP tools are available** (preferred):",
+            "",
+            "The dispatch plan entries are in the `dispatch_plan_entries` field of the tool response that returned this step. The wave schedule is in the `dispatch_quota` field.",
+            "",
+            "Use the `wave_size` from `dispatch_quota`. If `cooldown_until` is non-null, wait until that timestamp before starting the first wave.",
+            "",
+            "For each wave: use the `task` tool (or equivalent subagent dispatch) to launch up to `wave_size` subagents in parallel (one per entry), wait for all to finish, then start the next wave.",
+            "",
+            "**Fallback — if auditor MCP tools are not available:** Read both of these files:",
             "",
             `  Dispatch plan:  ${params.dispatchPlanPath}`,
             `  Dispatch quota: ${params.dispatchQuotaPath}`,
             "",
-            "The quota file contains a `wave_size` field. Dispatch at most `wave_size` subagents at a time. If `cooldown_until` is non-null, wait until that timestamp before starting the first wave.",
-            "",
-            "For each wave: launch up to `wave_size` subagents in parallel (one per plan entry), wait for all of them to finish, then start the next wave. Repeat until all entries are dispatched.",
+            "Apply the same wave logic from the quota file.",
         ]
         : [
-            "Dispatch is prepared. Read only this dispatch plan JSON:",
+            "**If auditor MCP tools are available** (preferred):",
+            "",
+            "The dispatch plan entries are in the `dispatch_plan_entries` field of the tool response that returned this step.",
+            "",
+            "**Fallback — if auditor MCP tools are not available:** Read this dispatch plan JSON:",
             "",
             `  ${params.dispatchPlanPath}`,
             "",
-            "Launch one host subagent for each entry in the plan.",
+            "Launch one subagent for each entry in the plan.",
         ];
     return [
         "# audit-code dispatch review",
         "",
-        ...fileLines,
+        ...dispatchDataLines,
         "",
-        "Pass each packet prompt path literally to its subagent; do not load packet prompt files into this orchestrator context.",
+        "Pass each `entry.prompt_path` literally to its subagent; do not load packet prompt files into this orchestrator context.",
         "",
         "Subagent prompt shape:",
         "",
@@ -584,7 +606,11 @@ function renderDispatchReviewPrompt(params) {
         "",
         "Each subagent must submit its packet through the submit command printed in its packet prompt and stop after successful submission.",
         "",
-        "After all waves complete, run exactly:",
+        "**After all waves complete:**",
+        "",
+        "If auditor MCP tools are available, call `auditor_merge_and_ingest` with `{ run_id: \"" + runId + "\" }`, then call `auditor_continue_audit` and follow the `prompt_content` in the response.",
+        "",
+        "Fallback — if auditor MCP tools are not available, run exactly:",
         "",
         `  ${mergeCommand}`,
         "",
@@ -624,9 +650,11 @@ function renderPresentReportPrompt(finalReportPath) {
         "",
         "The deterministic audit is complete.",
         "",
-        "Read this report and present the completed audit with work blocks first:",
-        "",
+        "Read the final audit report from the `audit-code://report/current` MCP resource (or from the file at:",
         `  ${finalReportPath}`,
+        "if a Read tool is available).",
+        "",
+        "Present the completed audit with work blocks first.",
         "",
         "Do not run the orchestrator again for this completed audit.",
         "",
@@ -1231,8 +1259,13 @@ async function cmdNextStep(argv) {
         stepKind: "dispatch_review",
         status: "ready",
         runId: result.activeReviewRun.run_id,
-        allowedCommands: [mergeCommand, continueCommand],
-        stopCondition: "Dispatch every packet, merge-and-ingest once, then run next-step again.",
+        allowedCommands: [
+            "auditor_merge_and_ingest",
+            "auditor_continue_audit",
+            mergeCommand,
+            continueCommand,
+        ],
+        stopCondition: "Dispatch every packet, call auditor_merge_and_ingest once, then call auditor_continue_audit.",
         repoRoot: root,
         artifactPaths: {
             dispatch_plan: dispatch.dispatch_plan_path,

package/dist/mcp/server.js

@@ -85,6 +85,14 @@ function parseContentLength(headerBlock) {
     }
     return contentLength;
 }
+async function readOptionalJson(path) {
+    try {
+        return JSON.parse(await readFile(path, "utf8"));
+    }
+    catch {
+        return undefined;
+    }
+}
 async function runWrapperCommand(args, options) {
     return await new Promise((resolvePromise, rejectPromise) => {
         const child = spawn(process.execPath, [
@@ -266,13 +274,41 @@ function renderPrompt(name, args) {
             throw new Error(`Unknown prompt: ${name}`);
     }
 }
+async function runContinueAudit(context, extraArgs = []) {
+    const step = await parseCliJson(extraArgs, context);
+    if (!step || typeof step !== "object" || Array.isArray(step))
+        return step;
+    const s = step;
+    if (hasValue(s.prompt_path)) {
+        try {
+            s.prompt_content = await readFile(s.prompt_path, "utf8");
+        }
+        catch {
+            // ignore — prompt_path is a fallback for hosts that can read files
+        }
+    }
+    if (s.step_kind === "dispatch_review") {
+        const paths = s.artifact_paths;
+        if (hasValue(paths?.dispatch_plan)) {
+            const plan = await readOptionalJson(paths.dispatch_plan);
+            if (plan !== undefined)
+                s.dispatch_plan_entries = plan;
+        }
+        if (hasValue(paths?.dispatch_quota)) {
+            const quota = await readOptionalJson(paths.dispatch_quota);
+            if (quota !== undefined)
+                s.dispatch_quota = quota;
+        }
+    }
+    return s;
+}
 async function handleToolCall(name, params, defaults) {
     const context = getToolContext(params, defaults);
     switch (name) {
         case "start_audit":
-            return toolResult(await parseCliJson([], context));
+            return toolResult(await runContinueAudit(context));
         case "continue_audit":
-            return toolResult(await parseCliJson([], context));
+            return toolResult(await runContinueAudit(context));
         case "get_status":
             return toolResult(await getStatusPayload(context));
         case "explain_task": {
@@ -304,6 +340,32 @@ async function handleToolCall(name, params, defaults) {
                 : params?.updatesPath;
             return toolResult(await parseCliJson(["--updates", resolve(updatesPath)], context));
         }
+        case "merge_and_ingest": {
+            const runId = hasValue(params?.run_id)
+                ? params.run_id
+                : hasValue(params?.runId)
+                    ? params.runId
+                    : undefined;
+            if (!runId)
+                throw new Error("merge_and_ingest requires run_id.");
+            return toolResult(await parseCliJson(["merge-and-ingest", "--run-id", runId], context, true));
+        }
+        case "report_capability": {
+            const extraArgs = [];
+            const canDispatch = params?.can_dispatch_subagents ?? params?.canDispatchSubagents;
+            if (canDispatch !== undefined) {
+                extraArgs.push("--host-can-dispatch-subagents", String(Boolean(canDispatch)));
+            }
+            const canRestrict = params?.can_restrict_subagent_tools ?? params?.canRestrictSubagentTools;
+            if (canRestrict !== undefined) {
+                extraArgs.push("--host-can-restrict-subagent-tools", String(Boolean(canRestrict)));
+            }
+            const canSelect = params?.can_select_subagent_model ?? params?.canSelectSubagentModel;
+            if (canSelect !== undefined) {
+                extraArgs.push("--host-can-select-subagent-model", String(Boolean(canSelect)));
+            }
+            return toolResult(await runContinueAudit(context, ["next-step", ...extraArgs]));
+        }
         default:
             throw new Error(`Unknown tool: ${name}`);
     }
@@ -423,6 +485,52 @@ function toolDefinitions() {
                 required: ["updates_path"],
             },
         },
+        {
+            name: "merge_and_ingest",
+            description: "Merge completed packet submissions into the artifact bundle after all dispatch subagents finish.",
+            inputSchema: {
+                type: "object",
+                properties: {
+                    run_id: {
+                        type: "string",
+                        description: "Review run ID from the dispatch_review step response.",
+                    },
+                    root: { type: "string", description: "Repository root override." },
+                    artifacts_dir: {
+                        type: "string",
+                        description: "Artifacts directory override.",
+                    },
+                },
+                required: ["run_id"],
+            },
+        },
+        {
+            name: "report_capability",
+            description: "Report host subagent dispatch capability and advance to the next step. Call this instead of running audit-code next-step from the shell during a capability_check step.",
+            inputSchema: {
+                type: "object",
+                properties: {
+                    can_dispatch_subagents: {
+                        type: "boolean",
+                        description: "Whether this host can dispatch subagents (e.g. via the task tool).",
+                    },
+                    can_restrict_subagent_tools: {
+                        type: "boolean",
+                        description: "Whether this host can restrict tools per subagent.",
+                    },
+                    can_select_subagent_model: {
+                        type: "boolean",
+                        description: "Whether this host can select a model per subagent.",
+                    },
+                    root: { type: "string", description: "Repository root override." },
+                    artifacts_dir: {
+                        type: "string",
+                        description: "Artifacts directory override.",
+                    },
+                },
+                required: ["can_dispatch_subagents"],
+            },
+        },
     ];
 }
 export async function runAuditCodeMcpServer(argv) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auditor-lambda",
-  "version": "0.3.23",
+  "version": "0.3.24",
   "private": false,
   "description": "Portable hybrid code-auditing framework for arbitrary repositories.",
   "type": "module",

package/scripts/postinstall.mjs

@@ -35,13 +35,6 @@ function writeGeneratedFile(path, content) {
   return action;
 }
 
-function splitFrontmatter(text) {
-  const normalized = text.replace(/\r\n/g, '\n');
-  const match = normalized.match(/^---\n([\s\S]*?)\n---\n?/u);
-  if (!match) return { body: normalized };
-  return { body: normalized.slice(match[0].length) };
-}
-
 const OPENCODE_AUDIT_EDIT_PERMISSION = {
   '*': 'ask',
   '.audit-code/**': 'allow',
@@ -183,7 +176,20 @@ function renderOpenCodePermissionConfig() {
   };
 }
 
-function mergeOpenCodeGlobalConfig(existing, promptBody) {
+const OPENCODE_MCP_COMMAND_TEMPLATE = [
+  '# audit-code',
+  '',
+  'Use the auditor MCP tools as the primary interface to the audit workflow.',
+  '',
+  '1. Call `auditor_start_audit` to initialize and receive the first step.',
+  '2. Read the `prompt_content` field in the response and follow the instructions there.',
+  '3. When a step completes (not blocked), call `auditor_continue_audit` to advance.',
+  '4. Stop when the step instructions say to stop.',
+  '',
+  'Do not run shell commands. Use only `auditor_*` MCP tools and the `task` tool for subagent dispatch.',
+].join('\n');
+
+function mergeOpenCodeGlobalConfig(existing) {
   const parsed = existing ? JSON.parse(existing) : {};
   const auditPermission = renderOpenCodePermissionConfig();
   const existingAuditor = objectValue(objectValue(parsed.agent).auditor);
@@ -194,7 +200,7 @@ function mergeOpenCodeGlobalConfig(existing, promptBody) {
         ? parsed.command
         : {}),
       'audit-code': {
-        template: promptBody.trimStart(),
+        template: OPENCODE_MCP_COMMAND_TEMPLATE,
         description: 'Autonomous local loop code auditing',
         agent: 'auditor',
         subtask: false,
@@ -208,10 +214,15 @@ function mergeOpenCodeGlobalConfig(existing, promptBody) {
       auditor: {
         ...existingAuditor,
         description: 'Read-heavy audit orchestration agent for the /audit-code workflow.',
-        permission: mergeOpenCodePermissionConfig(
-          existingAuditor.permission,
-          auditPermission,
-        ),
+        tools: {
+          'auditor*': true,
+          task: true,
+        },
+        permission: {
+          ...mergeOpenCodePermissionConfig(existingAuditor.permission, auditPermission),
+          question: 'allow',
+          task: 'allow',
+        },
       },
     },
   };
@@ -233,7 +244,6 @@ if (!promptSource || !skillSource) {
   process.exit(0);
 }
 
-const promptBody = splitFrontmatter(promptSource.toString('utf8')).body;
 const codexOpenAiAgentSource = readOptionalSource(codexOpenAiAgentSourceFile, 'Codex skill UI metadata');
 
 const installs = [
@@ -284,7 +294,7 @@ for (const install of installs) {
 const opencodeGlobalConfig = join(homedir(), '.config', 'opencode', 'opencode.json');
 try {
   const action = installMergedJson(opencodeGlobalConfig, (existing) =>
-    mergeOpenCodeGlobalConfig(existing, promptBody),
+    mergeOpenCodeGlobalConfig(existing),
   );
   console.log(`audit-code: ${action} global OpenCode command in ${opencodeGlobalConfig}`);
 } catch (err) {