auditor-lambda 0.3.26 → 0.3.28

package/audit-code-wrapper-lib.mjs

@@ -399,21 +399,122 @@ async function writeGeneratedMarkdown(targetPath, content) {
   };
 }
 
-async function removeGeneratedMarkdownIfMatches(targetPath, expectedContent) {
-  const existing = await readTextIfExists(targetPath);
-  if (existing === null) {
-    return null;
+function looksLikeAuditCodeSkill(content) {
+  const normalized = normalizeNewlines(content);
+  return (
+    /^name:\s*audit-code\b/mu.test(normalized)
+    || normalized.includes('Conversation-first autonomous code auditing workflow for the /audit-code command.')
+    || normalized.includes('The canonical entrypoint is `/audit-code` in conversation.')
+  );
+}
+
+function looksLikeAuditCodePrompt(content) {
+  const normalized = normalizeNewlines(content);
+  return (
+    normalized.includes('# `/audit-code`')
+    && (
+      normalized.includes('audit-code orchestrator')
+      || normalized.includes('Autonomous local loop code auditing')
+      || normalized.includes('Conversation-first autonomous code auditing workflow')
+    )
+  );
+}
+
+function looksLikeAuditCodeInterfaceMetadata(content) {
+  const normalized = normalizeNewlines(content);
+  return (
+    normalized.includes('audit-code')
+    && (
+      normalized.includes('display_name:')
+      || normalized.includes('short_description:')
+      || normalized.includes('default_prompt:')
+    )
+    && (
+      normalized.includes('/audit-code')
+      || normalized.includes('Start /audit-code')
+    )
+  );
+}
+
+async function buildLegacyAuditCodeSurfaceTargets(root) {
+  const targets = [
+    {
+      host: 'codex',
+      surface: 'skill',
+      path: join(root, '.codex', 'skills', 'audit-code', 'SKILL.md'),
+      matches: looksLikeAuditCodeSkill,
+    },
+    {
+      host: 'codex',
+      surface: 'prompt',
+      path: join(root, '.codex', 'skills', 'audit-code', 'audit-code.prompt.md'),
+      matches: looksLikeAuditCodePrompt,
+    },
+    {
+      host: 'opencode',
+      surface: 'command',
+      path: join(root, '.opencode', 'commands', 'audit-code.md'),
+      matches: looksLikeAuditCodePrompt,
+    },
+    {
+      host: 'opencode',
+      surface: 'skill',
+      path: join(root, '.opencode', 'skills', 'audit-code', 'SKILL.md'),
+      matches: looksLikeAuditCodeSkill,
+    },
+    {
+      host: 'opencode',
+      surface: 'prompt',
+      path: join(root, '.opencode', 'skills', 'audit-code', 'audit-code.prompt.md'),
+      matches: looksLikeAuditCodePrompt,
+    },
+    {
+      host: 'claude',
+      surface: 'command',
+      path: join(root, '.claude', 'commands', 'audit-code.md'),
+      matches: looksLikeAuditCodePrompt,
+    },
+  ];
+
+  const codexAgentDir = join(root, '.codex', 'skills', 'audit-code', 'agents');
+  const codexAgentEntries = await readdir(codexAgentDir).catch(() => []);
+  for (const entry of codexAgentEntries) {
+    targets.push({
+      host: 'codex',
+      surface: 'interface-metadata',
+      path: join(codexAgentDir, entry),
+      matches: looksLikeAuditCodeInterfaceMetadata,
+    });
   }
 
-  if (normalizeNewlines(existing) !== normalizeNewlines(expectedContent)) {
-    return null;
+  return targets;
+}
+
+async function findLegacyAuditCodeSurfaceFiles(root) {
+  const matches = [];
+  for (const target of await buildLegacyAuditCodeSurfaceTargets(root)) {
+    const existing = await readTextIfExists(target.path);
+    if (existing !== null && target.matches(existing)) {
+      matches.push(target.path);
+    }
   }
+  return matches;
+}
 
-  await unlink(targetPath);
-  return {
-    path: targetPath,
-    mode: 'removed',
-  };
+async function removeLegacyAuditCodeSurfaceFiles(root) {
+  const removed = [];
+  for (const target of await buildLegacyAuditCodeSurfaceTargets(root)) {
+    const existing = await readTextIfExists(target.path);
+    if (existing === null || !target.matches(existing)) {
+      continue;
+    }
+    await unlink(target.path);
+    removed.push({
+      path: target.path,
+      mode: 'removed',
+    });
+  }
+  return removed;
 }
 
 async function writeGeneratedJson(targetPath, value) {
@@ -608,9 +709,7 @@ const OPENCODE_MCP_COMMAND_TEMPLATE = [
   'Use the auditor MCP tools as the primary interface to the audit workflow.',
   '',
   '1. Call `auditor_start_audit` to initialize and receive the first step.',
-  '2. Check `step_kind` in the response:',
-  '   - If `step_kind` is `"capability_check"`: immediately call `auditor_report_capability` with `can_dispatch_subagents: true` and `can_select_subagent_model: true`. Do not run shell commands or inspect prompt_content for this step.',
-  '   - Otherwise: read `prompt_content` and follow it.',
+  '2. Read `prompt_content` in the response and follow it.',
   '3. When a step completes (not blocked), call `auditor_continue_audit` to advance.',
   '4. Stop when the step instructions say to stop.',
   '',
@@ -620,18 +719,9 @@ const OPENCODE_MCP_COMMAND_TEMPLATE = [
 ].join('\n');
 
 function renderOpenCodeProjectConfig(_root) {
-  const launcher = `.audit-code/install/${MCP_LAUNCHER_FILENAME}`;
   const auditPermission = renderOpenCodePermissionConfig();
   return {
     $schema: 'https://opencode.ai/config.json',
-    mcp: {
-      auditor: {
-        type: 'local',
-        command: ['node', launcher],
-        enabled: true,
-        timeout: 10000,
-      },
-    },
     permission: auditPermission,
     agent: {
       auditor: {
@@ -803,14 +893,13 @@ function assertOpenCodeAuditPermissionConfig(permissionConfig, label) {
 
 function buildMergedOpenCodeProjectConfig(existing, root) {
   const generated = renderOpenCodeProjectConfig(root);
+  const mergedMcp = objectValue(existing.mcp);
+  delete mergedMcp.auditor;
   return {
     ...existing,
     $schema: existing.$schema ?? generated.$schema,
     command: removeManagedOpenCodeCommand(existing.command),
-    mcp: {
-      ...objectValue(existing.mcp),
-      auditor: generated.mcp.auditor,
-    },
+    mcp: mergedMcp,
     permission: {
       ...mergeOpenCodePermissionConfig(existing.permission, generated.permission),
       external_directory: { '*': 'allow' },
@@ -907,6 +996,21 @@ function renderAntigravityPlanningGuide(root) {
   ].join('\n');
 }
 
+function renderGeminiCommandToml(promptBody) {
+  const escapedBody = promptBody.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+  return [
+    '# /audit-code \u2014 Autonomous local-loop code auditing',
+    '# Registered as a Gemini/Antigravity slash command.',
+    '',
+    'description = "Autonomous local-loop code auditing \u2014 loads one backend-rendered audit step at a time"',
+    '',
+    'prompt = """',
+    promptBody.trimEnd(),
+    '"""',
+    '',
+  ].join('\n');
+}
+
 function renderSharedMcpLauncher(sourcePackageRoot) {
   return [
     "import { access, readFile } from 'node:fs/promises';",
@@ -1339,19 +1443,20 @@ const INSTALL_HOST_DEFINITIONS = {
   antigravity: {
     host: 'antigravity',
     label: 'Antigravity',
-    support_level: 'guided',
-    setup_kind: 'planning-guide+mcp-ready',
+    support_level: 'supported',
+    setup_kind: 'gemini-command+planning-guide+mcp-ready',
     summary:
-      'Start in Planning mode with the generated guide and AGENTS instructions, then use the shared MCP launcher once Antigravity is ready to call structured tools.',
-    primary_path_key: 'antigravityPlanningGuidePath',
+      'Use the repo-local .gemini/commands/audit-code.toml slash command, the planning guide, and AGENTS instructions. The shared MCP launcher is available for structured tool calls.',
+    primary_path_key: 'geminiCommandPath',
     supporting_path_keys: [
+      'antigravityPlanningGuidePath',
       'agentsInstructionsPath',
       'mcpLauncherPath',
       'installedPromptPath',
     ],
     steps: [
-      'Open this repository in Antigravity Planning mode.',
-      'Load the generated planning guide and AGENTS instructions before starting the audit.',
+      'Open this repository in Antigravity.',
+      'The /audit-code slash command is automatically discovered from .gemini/commands/audit-code.toml.',
       'Use the shared auditor MCP server when Antigravity needs structured audit state instead of free-form shell guesses.',
     ],
     profile: {
@@ -1857,6 +1962,18 @@ async function verifyInstalledBootstrap(argv) {
     };
   });
 
+  await collectVerifyCheck(generalChecks, 'legacy_local_surfaces', async () => {
+    const legacySurfaces = await findLegacyAuditCodeSurfaceFiles(root);
+    if (legacySurfaces.length > 0) {
+      throw new Error(
+        `Legacy local /audit-code surfaces are still present: ${legacySurfaces.join(', ')}. Run "audit-code install" from ${root}.`,
+      );
+    }
+    return {
+      summary: 'No legacy local /audit-code command or skill surfaces were found.',
+    };
+  });
+
   await collectVerifyCheck(generalChecks, 'shared_launcher_file', async () => {
     const launcher = await readFile(assetPaths.mcpLauncherPath, 'utf8');
     if (!launcher.includes('Unable to locate an audit-code executable')) {
@@ -2005,23 +2122,16 @@ async function verifyInstalledBootstrap(argv) {
       case 'opencode':
         await collectVerifyCheck(checks, 'opencode_config', async () => {
           const config = await readJson(assetPaths.opencodeConfigPath, 'OpenCode project config');
-          const mcpCommand = config?.mcp?.auditor?.command;
-          if (!Array.isArray(mcpCommand) || mcpCommand[0] !== 'node') {
-            throw new Error('OpenCode config must set mcp.auditor.command as a Node command array.');
-          }
-          if (!mcpCommand[1]?.includes(MCP_LAUNCHER_FILENAME)) {
-            throw new Error(`OpenCode config must reference ${MCP_LAUNCHER_FILENAME}, got ${mcpCommand[1] ?? 'missing'}.`);
-          }
-          if (config?.mcp?.auditor?.type !== 'local') {
-            throw new Error(`OpenCode config must set mcp.auditor.type to "local", got ${config?.mcp?.auditor?.type ?? 'missing'}.`);
-          }
           if (config?.command?.['audit-code']) {
             throw new Error('OpenCode project config must not define command["audit-code"]; the slash command is global npm-installed state. Run "audit-code install --host opencode" to remove the stale local command.');
           }
+          if (config?.mcp?.auditor) {
+            throw new Error('OpenCode project config must not define mcp.auditor; the MCP server is supplied by the global npm-installed config. Run "audit-code install --host opencode" to remove the stale project-level MCP entry.');
+          }
           assertOpenCodeAuditPermissionConfig(config?.permission, 'permission');
           assertOpenCodeAuditPermissionConfig(config?.agent?.auditor?.permission, 'agent.auditor.permission');
           return {
-            summary: 'OpenCode project config has MCP server and audit permissions; /audit-code is supplied by the global npm-installed OpenCode command.',
+            summary: 'OpenCode project config has audit permissions; MCP server and /audit-code command are supplied by the global npm-installed config.',
             path: assetPaths.opencodeConfigPath,
           };
         });
@@ -2149,7 +2259,11 @@ async function detectBootstrapRefreshReason(root, host) {
   );
 
   if (hostCatalog.has('codex') && (assetPaths.codexSkillPath || assetPaths.codexPromptPath)) {
-    return 'legacy_repo_local_codex_skill';
+    return 'legacy_local_audit_code_surface';
+  }
+
+  if ((await findLegacyAuditCodeSurfaceFiles(root)).length > 0) {
+    return 'legacy_local_audit_code_surface';
   }
 
   for (const hostKey of getInstallHostKeys(host)) {
@@ -2199,6 +2313,9 @@ async function detectBootstrapRefreshReason(root, host) {
         if (opencodeConfig?.command?.['audit-code']) {
           return 'stale_host_asset:opencode:local_command';
         }
+        if (opencodeConfig?.mcp?.auditor) {
+          return 'stale_host_asset:opencode:project_mcp';
+        }
         try {
           assertOpenCodeAuditPermissionConfig(opencodeConfig?.permission, 'permission');
           assertOpenCodeAuditPermissionConfig(opencodeConfig?.agent?.auditor?.permission, 'agent.auditor.permission');
@@ -2350,6 +2467,9 @@ async function installBootstrap(argv, options = {}) {
     antigravityPlanningGuidePath: profile.writeAntigravity
       ? join(root, '.audit-code', 'install', 'antigravity', 'PLANNING-MODE.md')
       : null,
+    geminiCommandPath: profile.writeAntigravity
+      ? join(root, '.gemini', 'commands', 'audit-code.toml')
+      : null,
   };
 
   const results = [];
@@ -2384,22 +2504,7 @@ async function installBootstrap(argv, options = {}) {
     );
   }
 
-  if (!profile.writeCodex) {
-    const legacyCodexSkillRemoval = await removeGeneratedMarkdownIfMatches(
-      join(root, '.codex', 'skills', 'audit-code', 'SKILL.md'),
-      skillSource,
-    );
-    if (legacyCodexSkillRemoval) {
-      results.push(legacyCodexSkillRemoval);
-    }
-    const legacyCodexPromptRemoval = await removeGeneratedMarkdownIfMatches(
-      join(root, '.codex', 'skills', 'audit-code', 'audit-code.prompt.md'),
-      promptSource,
-    );
-    if (legacyCodexPromptRemoval) {
-      results.push(legacyCodexPromptRemoval);
-    }
-  }
+  results.push(...await removeLegacyAuditCodeSurfaceFiles(root));
 
   if (profile.writeCodex) {
     results.push(
@@ -2447,19 +2552,6 @@ async function installBootstrap(argv, options = {}) {
   }
 
   if (profile.writeOpenCode) {
-    // Remove legacy command/skill/prompt files unconditionally — these paths are exclusively
-    // owned by the auditor-lambda installer and keeping any version of them causes OpenCode to
-    // load the wrong slash command regardless of prompt content.
-    for (const legacyPath of [
-      join(root, '.opencode', 'commands', 'audit-code.md'),
-      join(root, '.opencode', 'skills', 'audit-code', 'SKILL.md'),
-      join(root, '.opencode', 'skills', 'audit-code', 'audit-code.prompt.md'),
-    ]) {
-      if (await fileExists(legacyPath)) {
-        await unlink(legacyPath);
-        results.push({ path: legacyPath, mode: 'removed' });
-      }
-    }
     results.push(
       await writeMergedGeneratedJson(
         assetPaths.opencodeConfigPath,
@@ -2505,6 +2597,12 @@ async function installBootstrap(argv, options = {}) {
         renderAntigravityPlanningGuide(root),
       ),
     );
+    results.push(
+      await writeGeneratedMarkdown(
+        assetPaths.geminiCommandPath,
+        renderGeminiCommandToml(promptBody),
+      ),
+    );
   }
 
   const hostGuidance = buildHostCatalog({
@@ -2566,6 +2664,7 @@ async function installBootstrap(argv, options = {}) {
     slash_command_surfaces: {
       vscode_prompt: assetPaths.vscodePromptPath,
       opencode_config: assetPaths.opencodeConfigPath,
+      gemini_command: assetPaths.geminiCommandPath,
     },
     instruction_surfaces: {
       agents: assetPaths.agentsInstructionsPath,
@@ -2625,6 +2724,22 @@ async function runDistCommand(commandName, argv, { ensureArtifactsDir = false }
   await run(nodeExecutable(), [distEntry, commandName, ...commandArgs]);
 }
 
+async function runDistCommandInline(commandName, argv) {
+  const commandArgs = [...argv];
+  const rootValue = resolve(getFlag(commandArgs, '--root') ?? '.');
+  const artifactsDir = resolve(getFlag(commandArgs, '--artifacts-dir') ?? join(rootValue, '.audit-artifacts'));
+
+  setDefaultFlag(commandArgs, '--root', rootValue);
+  setDefaultFlag(commandArgs, '--artifacts-dir', artifactsDir);
+
+  await mkdir(artifactsDir, { recursive: true });
+  await ensureBuilt();
+
+  const distUrl = new URL(`file:///${distEntry.replace(/\\/g, '/')}`);
+  const cli = await import(distUrl.href);
+  await cli.runCli([process.execPath, distEntry, commandName, ...commandArgs]);
+}
+
 export async function runAuditCodeWrapper({
   usageName,
   argv = process.argv.slice(2),
@@ -2683,7 +2798,7 @@ export async function runAuditCodeWrapper({
   }
 
   if (argv[0] === 'mcp') {
-    await runDistCommand('mcp', argv.slice(1), { ensureArtifactsDir: true });
+    await runDistCommandInline('mcp', argv.slice(1));
     return;
   }
 

package/dist/cli.js

@@ -32,7 +32,7 @@ import { buildReviewPackets, orderTasksForPacketReview, } from "./orchestrator/r
 import { buildFileAnchorSummary, } from "./orchestrator/fileAnchors.js";
 import { LOCAL_SUBPROCESS_PROVIDER_NAME } from "./providers/constants.js";
 import { runAuditCodeMcpServer } from "./mcp/server.js";
-import { scheduleWave, buildProviderModelKey, readQuotaState, recordWaveOutcome, resolveLimits, probeProvider, computeMaxSafeConcurrency, getQuotaStatePath, } from "./quota/index.js";
+import { scheduleWave, buildProviderModelKey, readQuotaState, recordWaveOutcome, resolveLimits, resolveHostActiveSubagentLimit, probeProvider, computeMaxSafeConcurrency, getQuotaStatePath, } from "./quota/index.js";
 const packageRoot = resolve(dirname(fileURLToPath(import.meta.url)), "..");
 const ADVANCE_AUDIT_CONTRACT_VERSION = "audit-code/v1alpha1";
 const WORKER_RESULT_CONTRACT_VERSION = "audit-code-worker-result/v1alpha1";
@@ -188,6 +188,9 @@ function getExplicitProvider(argv) {
 function getHostModel(argv) {
     return getFlag(argv, "--host-model") ?? null;
 }
+function getHostMaxActiveSubagents(argv) {
+    return parsePositiveIntegerFlag(argv, "--host-max-active-subagents") ?? null;
+}
 function getQuotaProbeMode(argv, sessionConfig) {
     const raw = getFlag(argv, "--quota-probe") ?? sessionConfig.quota?.probe ?? "auto";
     if (raw === "auto" || raw === "never" || raw === "force")
@@ -539,6 +542,7 @@ function renderCapabilityCheckPrompt(params) {
         "- `can_dispatch_subagents: true` if the `task` tool or equivalent subagent dispatch is available",
         "- `can_dispatch_subagents: false` if not",
         "- Optionally `can_restrict_subagent_tools: true` and/or `can_select_subagent_model: true`",
+        "- If the host documents or exposes a hard cap on simultaneously active subagents, include `max_active_subagents`.",
         "",
         "Read the `prompt_content` field in the tool response and follow it.",
         "",
@@ -554,6 +558,8 @@ function renderCapabilityCheckPrompt(params) {
         "",
         "If the host can also restrict tools per subagent or select models per subagent, add the matching `--host-can-restrict-subagent-tools true` or `--host-can-select-subagent-model true` flags to the same command. Omit those flags when unsure.",
         "",
+        "If the host has a known active-subagent ceiling, add `--host-max-active-subagents <n>` to the same command. For Codex Desktop, use 6.",
+        "",
         "After the command writes the next step, read and follow only its `prompt_path`.",
         "",
     ].join("\n");
@@ -576,6 +582,8 @@ function renderDispatchReviewPrompt(params) {
             "",
             "Use the `wave_size` from `dispatch_quota`. If `cooldown_until` is non-null, wait until that timestamp before starting the first wave.",
             "",
+            "`dispatch_quota.host_concurrency_limit` records any detected hard host cap that contributed to `wave_size`.",
+            "",
             "For each wave: use the `task` tool (or equivalent subagent dispatch) to launch up to `wave_size` subagents in parallel (one per entry), wait for all to finish, then start the next wave.",
             "",
             "**Fallback — if auditor MCP tools are not available:** Read both of these files:",
@@ -1134,6 +1142,7 @@ async function cmdNextStep(argv) {
     const hostCanRestrictSubagentTools = getOptionalBooleanFlag(argv, "--host-can-restrict-subagent-tools") ??
         false;
     const hostCanSelectSubagentModel = getOptionalBooleanFlag(argv, "--host-can-select-subagent-model") ?? false;
+    const hostMaxActiveSubagents = getHostMaxActiveSubagents(argv);
     let sessionConfig;
     try {
         sessionConfig = await loadSessionConfig(artifactsDir);
@@ -1260,6 +1269,7 @@ async function cmdNextStep(argv) {
         runId: result.activeReviewRun.run_id,
         artifactsDir,
         root,
+        hostActiveSubagentLimit: hostMaxActiveSubagents,
     });
     const mergeCommand = mergeAndIngestCommand(artifactsDir, result.activeReviewRun.run_id);
     const continueCommand = nextStepCommand(root, artifactsDir);
@@ -2238,8 +2248,18 @@ async function prepareDispatchArtifacts(params) {
     const lensDefsPath = join(packageRoot, "dispatch", "lens-definitions.json");
     const lensDefs = await readJsonFile(lensDefsPath);
     await mkdir(taskResultsDir, { recursive: true });
-    const lineIndex = Object.fromEntries(tasks.flatMap((task) => Object.entries(task.file_line_counts ?? {})));
-    const orderedTasks = orderTasksForPacketReview(tasks, {
+    // On resume: skip tasks whose result files already exist from a prior dispatch.
+    const priorResultTaskIds = new Set();
+    for (const task of tasks) {
+        if (existsSync(taskResultPath(taskResultsDir, task.task_id))) {
+            priorResultTaskIds.add(task.task_id);
+        }
+    }
+    const dispatchTasks = priorResultTaskIds.size > 0
+        ? tasks.filter((task) => !priorResultTaskIds.has(task.task_id))
+        : tasks;
+    const lineIndex = Object.fromEntries(dispatchTasks.flatMap((task) => Object.entries(task.file_line_counts ?? {})));
+    const orderedTasks = orderTasksForPacketReview(dispatchTasks, {
         graphBundle: bundle.graph_bundle,
         lineIndex,
     });
@@ -2258,6 +2278,15 @@ async function prepareDispatchArtifacts(params) {
     }
     const plan = [];
     const resultMapEntries = [];
+    for (const task of tasks) {
+        if (priorResultTaskIds.has(task.task_id)) {
+            resultMapEntries.push({
+                packet_id: "__prior_dispatch__",
+                task_id: task.task_id,
+                result_path: taskResultPath(taskResultsDir, task.task_id),
+            });
+        }
+    }
     let largestPacketId = null;
     let largestLines = 0;
     let largestEstimatedTokens = 0;
@@ -2469,13 +2498,18 @@ async function prepareDispatchArtifacts(params) {
     const quotaProviderKey = buildProviderModelKey(quotaProviderName, hostModel);
     const quotaState = await readQuotaState().catch(() => ({ version: 1, entries: {} }));
     const quotaStateEntry = quotaState.entries[quotaProviderKey] ?? null;
+    const hostConcurrencyLimit = resolveHostActiveSubagentLimit({
+        explicitLimit: params.hostActiveSubagentLimit,
+        sessionConfig,
+    });
     const waveSchedule = scheduleWave({
         providerName: quotaProviderName,
         sessionConfig,
         hostModel,
-        requestedConcurrency: sessionConfig.parallel_workers ?? 1,
+        requestedConcurrency: sessionConfig.parallel_workers ?? plan.length,
         estimatedPacketTokens: avgPacketTokens,
         quotaStateEntry,
+        hostConcurrencyLimit,
     });
     const dispatchQuota = {
         contract_version: "audit-code-dispatch-quota/v1alpha1",
@@ -2484,6 +2518,7 @@ async function prepareDispatchArtifacts(params) {
         resolved_limits: waveSchedule.resolved_limits,
         confidence: waveSchedule.confidence,
         source: waveSchedule.source,
+        host_concurrency_limit: waveSchedule.host_concurrency_limit,
         wave_size: waveSchedule.wave_size,
         estimated_wave_tokens: waveSchedule.estimated_wave_tokens,
         cooldown_until: waveSchedule.cooldown_until,
@@ -2518,6 +2553,7 @@ async function prepareDispatchArtifacts(params) {
         dispatch_quota_path: dispatchQuotaPath,
         packet_count: plan.length,
         task_count: orderedTasks.length,
+        skipped_task_count: priorResultTaskIds.size,
         largest_packet: largestPacketId
             ? {
                 packet_id: largestPacketId,
@@ -2538,6 +2574,7 @@ async function cmdPrepareDispatch(argv) {
         artifactsDir: getArtifactsDir(argv),
         root: getFlag(argv, "--root") ? getRootDir(argv) : undefined,
         hostModel: getHostModel(argv),
+        hostActiveSubagentLimit: getHostMaxActiveSubagents(argv),
     });
     console.log(JSON.stringify(result, null, 2));
 }
@@ -3214,12 +3251,17 @@ async function cmdQuota(argv) {
     const quotaState = await readQuotaState().catch(() => ({ version: 1, entries: {} }));
     const quotaStateEntry = quotaState.entries[providerModelKey] ?? null;
     const halfLifeHours = sessionConfig.quota?.empirical_half_life_hours ?? 24;
+    const hostConcurrencyLimit = resolveHostActiveSubagentLimit({
+        explicitLimit: getHostMaxActiveSubagents(argv),
+        sessionConfig,
+    });
     const waveSchedule = scheduleWave({
         providerName,
         sessionConfig,
         hostModel,
         requestedConcurrency: sessionConfig.parallel_workers ?? 1,
         quotaStateEntry,
+        hostConcurrencyLimit,
     });
     console.log(JSON.stringify({
         provider: providerName,
@@ -3228,6 +3270,7 @@ async function cmdQuota(argv) {
         resolved_limits: limits,
         confidence,
         source,
+        host_concurrency_limit: hostConcurrencyLimit,
         probe: probeResult,
         learned_caps: quotaStateEntry
             ? {

package/dist/mcp/server.js

@@ -364,6 +364,10 @@ async function handleToolCall(name, params, defaults) {
             if (canSelect !== undefined) {
                 extraArgs.push("--host-can-select-subagent-model", String(Boolean(canSelect)));
             }
+            const maxActiveSubagents = params?.max_active_subagents ?? params?.maxActiveSubagents;
+            if (maxActiveSubagents !== undefined) {
+                extraArgs.push("--host-max-active-subagents", String(maxActiveSubagents));
+            }
             return toolResult(await runContinueAudit(context, ["next-step", ...extraArgs]));
         }
         default:
@@ -522,6 +526,11 @@ function toolDefinitions() {
                         type: "boolean",
                         description: "Whether this host can select a model per subagent.",
                     },
+                    max_active_subagents: {
+                        type: "integer",
+                        minimum: 1,
+                        description: "Known hard cap on simultaneously active subagents for this host, if available.",
+                    },
                     root: { type: "string", description: "Repository root override." },
                     artifacts_dir: {
                         type: "string",

package/dist/quota/hostLimits.d.ts

@@ -0,0 +1,8 @@
+import type { SessionConfig } from "../types/sessionConfig.js";
+import type { HostConcurrencyLimit } from "./types.js";
+export declare function detectHostActiveSubagentLimit(env?: NodeJS.ProcessEnv): HostConcurrencyLimit | null;
+export declare function resolveHostActiveSubagentLimit(options: {
+    explicitLimit?: number | null;
+    sessionConfig: SessionConfig;
+    env?: NodeJS.ProcessEnv;
+}): HostConcurrencyLimit | null;

package/dist/quota/hostLimits.js

@@ -0,0 +1,50 @@
+const CODEX_DESKTOP_ACTIVE_SUBAGENT_LIMIT = 6;
+function parsePositiveInteger(value) {
+    if (typeof value === "number") {
+        return Number.isInteger(value) && value > 0 ? value : null;
+    }
+    if (typeof value !== "string")
+        return null;
+    const trimmed = value.trim();
+    if (!/^\d+$/.test(trimmed))
+        return null;
+    const parsed = Number(trimmed);
+    return Number.isSafeInteger(parsed) && parsed > 0 ? parsed : null;
+}
+export function detectHostActiveSubagentLimit(env = process.env) {
+    const explicitEnvLimit = parsePositiveInteger(env.AUDIT_CODE_HOST_MAX_ACTIVE_SUBAGENTS ??
+        env.CODEX_MAX_ACTIVE_SUBAGENTS);
+    if (explicitEnvLimit !== null) {
+        return {
+            active_subagents: explicitEnvLimit,
+            source: "environment",
+            description: "Host active subagent limit from environment.",
+        };
+    }
+    if (env.CODEX_INTERNAL_ORIGINATOR_OVERRIDE === "Codex Desktop") {
+        return {
+            active_subagents: CODEX_DESKTOP_ACTIVE_SUBAGENT_LIMIT,
+            source: "environment",
+            description: "Codex Desktop active subagent limit.",
+        };
+    }
+    return null;
+}
+export function resolveHostActiveSubagentLimit(options) {
+    if (options.explicitLimit !== undefined && options.explicitLimit !== null) {
+        return {
+            active_subagents: options.explicitLimit,
+            source: "cli_flags",
+            description: "Host active subagent limit reported by the conversation host.",
+        };
+    }
+    const configuredLimit = parsePositiveInteger(options.sessionConfig.quota?.host_active_subagent_limit);
+    if (configuredLimit !== null) {
+        return {
+            active_subagents: configuredLimit,
+            source: "session_config",
+            description: "Host active subagent limit from session-config quota settings.",
+        };
+    }
+    return detectHostActiveSubagentLimit(options.env);
+}

package/dist/quota/index.d.ts

@@ -1,8 +1,9 @@
 export { resolveLimits, lookupKnownModel, classifyProvider } from "./limits.js";
 export type { LimitResolutionResult, ResolveLimitsOptions, ProviderType } from "./limits.js";
+export { detectHostActiveSubagentLimit, resolveHostActiveSubagentLimit, } from "./hostLimits.js";
 export { readQuotaState, writeQuotaState, computeMaxSafeConcurrency, recordWaveOutcome, getQuotaStatePath, decayWeight, applyDecayToEntry, } from "./state.js";
 export { scheduleWave, buildProviderModelKey } from "./scheduler.js";
 export type { ScheduleWaveOptions } from "./scheduler.js";
 export { probeProvider } from "./probe.js";
 export type { ProbeResult } from "./probe.js";
-export type { ResolvedLimits, LimitSource, LimitConfidence, QuotaState, QuotaStateEntry, ConcurrencyBucket, WaveSchedule, DispatchQuota, ObservedWaveOutcome, } from "./types.js";
+export type { ResolvedLimits, LimitSource, LimitConfidence, HostConcurrencyLimit, HostConcurrencyLimitSource, QuotaState, QuotaStateEntry, ConcurrencyBucket, WaveSchedule, DispatchQuota, ObservedWaveOutcome, } from "./types.js";

package/dist/quota/index.js

@@ -1,4 +1,5 @@
 export { resolveLimits, lookupKnownModel, classifyProvider } from "./limits.js";
+export { detectHostActiveSubagentLimit, resolveHostActiveSubagentLimit, } from "./hostLimits.js";
 export { readQuotaState, writeQuotaState, computeMaxSafeConcurrency, recordWaveOutcome, getQuotaStatePath, decayWeight, applyDecayToEntry, } from "./state.js";
 export { scheduleWave, buildProviderModelKey } from "./scheduler.js";
 export { probeProvider } from "./probe.js";

package/dist/quota/scheduler.d.ts

@@ -1,5 +1,5 @@
 import type { ResolvedProviderName, SessionConfig } from "../types/sessionConfig.js";
-import type { QuotaStateEntry, WaveSchedule } from "./types.js";
+import type { HostConcurrencyLimit, QuotaStateEntry, WaveSchedule } from "./types.js";
 export interface ScheduleWaveOptions {
     providerName: ResolvedProviderName;
     sessionConfig: SessionConfig;
@@ -8,6 +8,7 @@ export interface ScheduleWaveOptions {
     /** Average estimated tokens per packet/worker. Used for TPM budget. */
     estimatedPacketTokens?: number;
     quotaStateEntry?: QuotaStateEntry | null;
+    hostConcurrencyLimit?: HostConcurrencyLimit | null;
 }
 export declare function scheduleWave(options: ScheduleWaveOptions): WaveSchedule;
 /** Build the state key used for indexing quota-state.json entries. */

package/dist/quota/scheduler.js

@@ -1,9 +1,15 @@
 import { resolveLimits } from "./limits.js";
 import { computeMaxSafeConcurrency } from "./state.js";
 export function scheduleWave(options) {
-    const { providerName, sessionConfig, hostModel, requestedConcurrency, estimatedPacketTokens = 0, quotaStateEntry = null, } = options;
+    const { providerName, sessionConfig, hostModel, requestedConcurrency, estimatedPacketTokens = 0, quotaStateEntry = null, hostConcurrencyLimit = null, } = options;
     const quota = sessionConfig.quota ?? {};
+    const applyHostConcurrencyLimit = (waveSize) => {
+        if (hostConcurrencyLimit === null)
+            return waveSize;
+        return Math.min(waveSize, hostConcurrencyLimit.active_subagents);
+    };
     if (quota.enabled === false) {
+        const waveSize = Math.max(1, applyHostConcurrencyLimit(requestedConcurrency));
         const limits = {
             context_tokens: quota.default_context_tokens ?? 32_000,
             output_tokens: quota.reserved_output_tokens ?? 4_096,
@@ -12,12 +18,13 @@ export function scheduleWave(options) {
             output_tokens_per_minute: null,
         };
         return {
-            wave_size: requestedConcurrency,
-            estimated_wave_tokens: requestedConcurrency * estimatedPacketTokens,
+            wave_size: waveSize,
+            estimated_wave_tokens: waveSize * estimatedPacketTokens,
             cooldown_until: null,
             confidence: "high",
             source: "default",
             resolved_limits: limits,
+            host_concurrency_limit: hostConcurrencyLimit,
             model: hostModel,
         };
     }
@@ -51,6 +58,7 @@ export function scheduleWave(options) {
         }
         // No learned data: use requestedConcurrency and let 429 outcomes train the cap
     }
+    waveSize = applyHostConcurrencyLimit(waveSize);
     waveSize = Math.max(1, waveSize);
     return {
         wave_size: waveSize,
@@ -59,6 +67,7 @@ export function scheduleWave(options) {
         confidence,
         source,
         resolved_limits: limits,
+        host_concurrency_limit: hostConcurrencyLimit,
         model: hostModel,
     };
 }

package/dist/quota/types.d.ts

@@ -1,5 +1,11 @@
 export type LimitSource = "explicit_config" | "cli_flags" | "known_metadata" | "learned" | "default";
 export type LimitConfidence = "high" | "medium" | "low";
+export type HostConcurrencyLimitSource = "cli_flags" | "session_config" | "environment";
+export interface HostConcurrencyLimit {
+    active_subagents: number;
+    source: HostConcurrencyLimitSource;
+    description: string;
+}
 export interface ResolvedLimits {
     context_tokens: number;
     output_tokens: number;
@@ -28,6 +34,7 @@ export interface WaveSchedule {
     confidence: LimitConfidence;
     source: LimitSource;
     resolved_limits: ResolvedLimits;
+    host_concurrency_limit: HostConcurrencyLimit | null;
     model: string | null;
 }
 export interface DispatchQuota {
@@ -37,6 +44,7 @@ export interface DispatchQuota {
     resolved_limits: ResolvedLimits;
     confidence: LimitConfidence;
     source: LimitSource;
+    host_concurrency_limit: HostConcurrencyLimit | null;
     wave_size: number;
     estimated_wave_tokens: number;
     cooldown_until: string | null;

package/dist/reporting/mergeFindings.js

@@ -1,6 +1,35 @@
 function normalizeText(value) {
     return (value ?? "").trim().toLowerCase();
 }
+function wordSet(text) {
+    return new Set(text
+        .toLowerCase()
+        .replace(/[^a-z0-9\s]/g, " ")
+        .split(/\s+/)
+        .filter(Boolean));
+}
+function wordJaccard(a, b) {
+    const sa = wordSet(a);
+    const sb = wordSet(b);
+    let intersection = 0;
+    for (const w of sa) {
+        if (sb.has(w))
+            intersection++;
+    }
+    const union = sa.size + sb.size - intersection;
+    return union === 0 ? 0 : intersection / union;
+}
+function filePathOverlap(a, b) {
+    const setA = new Set(a.affected_files.map((f) => f.path));
+    const setB = new Set(b.affected_files.map((f) => f.path));
+    let intersection = 0;
+    for (const path of setA) {
+        if (setB.has(path))
+            intersection++;
+    }
+    const union = setA.size + setB.size - intersection;
+    return union === 0 ? 0 : intersection / union;
+}
 function primaryPath(finding) {
     return finding.affected_files[0]?.path ?? "";
 }
@@ -63,6 +92,62 @@ function mergeAffectedFiles(existing, incoming) {
     }
     existing.affected_files.sort((a, b) => a.path.localeCompare(b.path) || (a.line_start ?? 0) - (b.line_start ?? 0));
 }
+function deduplicateCrossLens(findings) {
+    const groups = new Map();
+    for (const finding of findings) {
+        const key = primaryPath(finding);
+        const group = groups.get(key);
+        if (group) {
+            group.push(finding);
+        }
+        else {
+            groups.set(key, [finding]);
+        }
+    }
+    const removed = new Set();
+    for (const group of groups.values()) {
+        if (group.length < 2)
+            continue;
+        for (let i = 0; i < group.length; i++) {
+            if (removed.has(group[i]))
+                continue;
+            for (let j = i + 1; j < group.length; j++) {
+                if (removed.has(group[j]))
+                    continue;
+                const a = group[i];
+                const b = group[j];
+                if (normalizeText(a.lens) === normalizeText(b.lens))
+                    continue;
+                const titleSim = wordJaccard(a.title, b.title);
+                const catMatch = normalizeText(a.category) === normalizeText(b.category);
+                const threshold = catMatch ? 0.4 : 0.5;
+                if (titleSim < threshold)
+                    continue;
+                if (filePathOverlap(a, b) < 0.5)
+                    continue;
+                const aSev = severityRank(a.severity);
+                const bSev = severityRank(b.severity);
+                const aConf = confidenceRank(a.confidence);
+                const bConf = confidenceRank(b.confidence);
+                const keepA = aSev > bSev || (aSev === bSev && aConf >= bConf);
+                const [survivor, absorbed] = keepA ? [a, b] : [b, a];
+                mergeAffectedFiles(survivor, absorbed);
+                survivor.evidence = [
+                    ...new Set([
+                        ...(survivor.evidence ?? []),
+                        ...(absorbed.evidence ?? []),
+                    ]),
+                ];
+                survivor.systemic = Boolean(survivor.systemic || absorbed.systemic);
+                if (absorbed.summary.length > survivor.summary.length) {
+                    survivor.summary = absorbed.summary;
+                }
+                removed.add(absorbed);
+            }
+        }
+    }
+    return findings.filter((f) => !removed.has(f));
+}
 export function mergeFindings(results, runtimeReport, externalAnalyzerResults) {
     const merged = new Map();
     const runtimeEvidence = runtimeSummary(runtimeReport);
@@ -109,7 +194,7 @@ export function mergeFindings(results, runtimeReport, externalAnalyzerResults) {
             ];
         }
     }
-    return [...merged.values()].sort((a, b) => {
+    return deduplicateCrossLens([...merged.values()]).sort((a, b) => {
         const severityDelta = severityRank(b.severity) - severityRank(a.severity);
         if (severityDelta !== 0)
             return severityDelta;

package/dist/types/sessionConfig.d.ts

@@ -44,6 +44,8 @@ export interface QuotaConfig {
     reserved_output_tokens?: number;
     /** Half-life of empirical success/failure evidence in hours (default: 24). */
     empirical_half_life_hours?: number;
+    /** Hard host ceiling for simultaneously active conversation subagents. */
+    host_active_subagent_limit?: number;
     /** Per-model overrides keyed by "provider/model". */
     models?: Record<string, QuotaModelLimits>;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auditor-lambda",
-  "version": "0.3.26",
+  "version": "0.3.28",
   "private": false,
   "description": "Portable hybrid code-auditing framework for arbitrary repositories.",
   "type": "module",

package/schemas/dispatch_quota.schema.json

@@ -11,6 +11,7 @@
     "resolved_limits",
     "confidence",
     "source",
+    "host_concurrency_limit",
     "wave_size",
     "estimated_wave_tokens",
     "cooldown_until"
@@ -58,6 +59,30 @@
       "enum": ["explicit_config", "cli_flags", "known_metadata", "learned", "default"],
       "description": "Where the resolved limits came from."
     },
+    "host_concurrency_limit": {
+      "type": ["object", "null"],
+      "description": "A hard host ceiling on simultaneously active subagents, if detected or reported.",
+      "required": [
+        "active_subagents",
+        "source",
+        "description"
+      ],
+      "additionalProperties": false,
+      "properties": {
+        "active_subagents": {
+          "type": "integer",
+          "minimum": 1
+        },
+        "source": {
+          "type": "string",
+          "enum": ["cli_flags", "session_config", "environment"]
+        },
+        "description": {
+          "type": "string",
+          "minLength": 1
+        }
+      }
+    },
     "wave_size": {
       "type": "integer",
       "minimum": 1,

package/scripts/postinstall.mjs

@@ -283,9 +283,7 @@ const OPENCODE_MCP_COMMAND_TEMPLATE = [
   'Use the auditor MCP tools as the primary interface to the audit workflow.',
   '',
   '1. Call `auditor_start_audit` to initialize and receive the first step.',
-  '2. Check `step_kind` in the response:',
-  '   - If `step_kind` is `"capability_check"`: immediately call `auditor_report_capability` with `can_dispatch_subagents: true` and `can_select_subagent_model: true`. Do not run shell commands or inspect prompt_content for this step.',
-  '   - Otherwise: read `prompt_content` and follow it.',
+  '2. Read `prompt_content` in the response and follow it.',
   '3. When a step completes (not blocked), call `auditor_continue_audit` to advance.',
   '4. Stop when the step instructions say to stop.',
   '',