auditor-lambda 0.3.27 → 0.3.29

package/audit-code-wrapper-lib.mjs

@@ -996,6 +996,21 @@ function renderAntigravityPlanningGuide(root) {
   ].join('\n');
 }
 
+function renderGeminiCommandToml(promptBody) {
+  const escapedBody = promptBody.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+  return [
+    '# /audit-code \u2014 Autonomous local-loop code auditing',
+    '# Registered as a Gemini/Antigravity slash command.',
+    '',
+    'description = "Autonomous local-loop code auditing \u2014 loads one backend-rendered audit step at a time"',
+    '',
+    'prompt = """',
+    promptBody.trimEnd(),
+    '"""',
+    '',
+  ].join('\n');
+}
+
 function renderSharedMcpLauncher(sourcePackageRoot) {
   return [
     "import { access, readFile } from 'node:fs/promises';",
@@ -1428,19 +1443,22 @@ const INSTALL_HOST_DEFINITIONS = {
   antigravity: {
     host: 'antigravity',
     label: 'Antigravity',
-    support_level: 'guided',
-    setup_kind: 'planning-guide+mcp-ready',
+    support_level: 'supported',
+    setup_kind: 'agent-skill+gemini-command+planning-guide+mcp-ready',
     summary:
-      'Start in Planning mode with the generated guide and AGENTS instructions, then use the shared MCP launcher once Antigravity is ready to call structured tools.',
-    primary_path_key: 'antigravityPlanningGuidePath',
+      'Uses the project-scoped .agent/skills/audit-code/SKILL.md skill, the .gemini/commands/audit-code.toml slash command, the planning guide, and AGENTS instructions. The shared MCP launcher is available for structured tool calls.',
+    primary_path_key: 'antigravitySkillPath',
     supporting_path_keys: [
+      'geminiCommandPath',
+      'antigravityPlanningGuidePath',
       'agentsInstructionsPath',
       'mcpLauncherPath',
       'installedPromptPath',
     ],
     steps: [
-      'Open this repository in Antigravity Planning mode.',
-      'Load the generated planning guide and AGENTS instructions before starting the audit.',
+      'Open this repository in Antigravity.',
+      'The audit-code skill is automatically discovered from .agent/skills/audit-code/SKILL.md.',
+      'The /audit-code slash command is also available from .gemini/commands/audit-code.toml.',
       'Use the shared auditor MCP server when Antigravity needs structured audit state instead of free-form shell guesses.',
     ],
     profile: {
@@ -2154,6 +2172,16 @@ async function verifyInstalledBootstrap(argv) {
         });
         break;
       case 'antigravity':
+        await collectVerifyCheck(checks, 'antigravity_skill', async () => {
+          const content = await readFile(assetPaths.antigravitySkillPath, 'utf8');
+          if (!content.includes('name: audit-code')) {
+            throw new Error('Antigravity skill SKILL.md must contain "name: audit-code" in frontmatter.');
+          }
+          return {
+            summary: 'Antigravity .agent/skills/audit-code/SKILL.md is present and valid.',
+            path: assetPaths.antigravitySkillPath,
+          };
+        });
         await collectVerifyCheck(checks, 'antigravity_guide', async () => {
           const content = await readFile(assetPaths.antigravityPlanningGuidePath, 'utf8');
           if (!content.includes(MCP_LAUNCHER_FILENAME) || !content.includes(INSTALLED_PROMPT_FILENAME)) {
@@ -2321,6 +2349,17 @@ async function detectBootstrapRefreshReason(root, host) {
         }
         break;
       }
+      case 'antigravity': {
+        const expectedSkillPath = join(root, '.agent', 'skills', 'audit-code', 'SKILL.md');
+        if (!(await fileExists(expectedSkillPath))) {
+          return 'missing_host_asset:antigravity:skill';
+        }
+        const antigravitySkill = await readTextIfExists(expectedSkillPath);
+        if (antigravitySkill !== null && antigravitySkill.replace(/\r\n/g, '\n') !== sourceSkill) {
+          return 'stale_host_asset:antigravity:skill';
+        }
+        break;
+      }
       default:
         break;
     }
@@ -2451,6 +2490,12 @@ async function installBootstrap(argv, options = {}) {
     antigravityPlanningGuidePath: profile.writeAntigravity
       ? join(root, '.audit-code', 'install', 'antigravity', 'PLANNING-MODE.md')
       : null,
+    geminiCommandPath: profile.writeAntigravity
+      ? join(root, '.gemini', 'commands', 'audit-code.toml')
+      : null,
+    antigravitySkillPath: profile.writeAntigravity
+      ? join(root, '.agent', 'skills', 'audit-code', 'SKILL.md')
+      : null,
   };
 
   const results = [];
@@ -2578,6 +2623,18 @@ async function installBootstrap(argv, options = {}) {
         renderAntigravityPlanningGuide(root),
       ),
     );
+    results.push(
+      await writeGeneratedMarkdown(
+        assetPaths.geminiCommandPath,
+        renderGeminiCommandToml(promptBody),
+      ),
+    );
+    results.push(
+      await writeGeneratedMarkdown(
+        assetPaths.antigravitySkillPath,
+        skillSource,
+      ),
+    );
   }
 
   const hostGuidance = buildHostCatalog({
@@ -2639,6 +2696,8 @@ async function installBootstrap(argv, options = {}) {
     slash_command_surfaces: {
       vscode_prompt: assetPaths.vscodePromptPath,
       opencode_config: assetPaths.opencodeConfigPath,
+      gemini_command: assetPaths.geminiCommandPath,
+      antigravity_skill: assetPaths.antigravitySkillPath,
     },
     instruction_surfaces: {
       agents: assetPaths.agentsInstructionsPath,

package/dist/cli.js

@@ -32,7 +32,7 @@ import { buildReviewPackets, orderTasksForPacketReview, } from "./orchestrator/r
 import { buildFileAnchorSummary, } from "./orchestrator/fileAnchors.js";
 import { LOCAL_SUBPROCESS_PROVIDER_NAME } from "./providers/constants.js";
 import { runAuditCodeMcpServer } from "./mcp/server.js";
-import { scheduleWave, buildProviderModelKey, readQuotaState, recordWaveOutcome, resolveLimits, probeProvider, computeMaxSafeConcurrency, getQuotaStatePath, } from "./quota/index.js";
+import { scheduleWave, buildProviderModelKey, readQuotaState, recordWaveOutcome, resolveLimits, resolveHostActiveSubagentLimit, probeProvider, computeMaxSafeConcurrency, getQuotaStatePath, } from "./quota/index.js";
 const packageRoot = resolve(dirname(fileURLToPath(import.meta.url)), "..");
 const ADVANCE_AUDIT_CONTRACT_VERSION = "audit-code/v1alpha1";
 const WORKER_RESULT_CONTRACT_VERSION = "audit-code-worker-result/v1alpha1";
@@ -188,6 +188,9 @@ function getExplicitProvider(argv) {
 function getHostModel(argv) {
     return getFlag(argv, "--host-model") ?? null;
 }
+function getHostMaxActiveSubagents(argv) {
+    return parsePositiveIntegerFlag(argv, "--host-max-active-subagents") ?? null;
+}
 function getQuotaProbeMode(argv, sessionConfig) {
     const raw = getFlag(argv, "--quota-probe") ?? sessionConfig.quota?.probe ?? "auto";
     if (raw === "auto" || raw === "never" || raw === "force")
@@ -539,6 +542,7 @@ function renderCapabilityCheckPrompt(params) {
         "- `can_dispatch_subagents: true` if the `task` tool or equivalent subagent dispatch is available",
         "- `can_dispatch_subagents: false` if not",
         "- Optionally `can_restrict_subagent_tools: true` and/or `can_select_subagent_model: true`",
+        "- If the host documents or exposes a hard cap on simultaneously active subagents, include `max_active_subagents`.",
         "",
         "Read the `prompt_content` field in the tool response and follow it.",
         "",
@@ -554,6 +558,8 @@ function renderCapabilityCheckPrompt(params) {
         "",
         "If the host can also restrict tools per subagent or select models per subagent, add the matching `--host-can-restrict-subagent-tools true` or `--host-can-select-subagent-model true` flags to the same command. Omit those flags when unsure.",
         "",
+        "If the host has a known active-subagent ceiling, add `--host-max-active-subagents <n>` to the same command. For Codex Desktop, use 6.",
+        "",
         "After the command writes the next step, read and follow only its `prompt_path`.",
         "",
     ].join("\n");
@@ -576,6 +582,8 @@ function renderDispatchReviewPrompt(params) {
             "",
             "Use the `wave_size` from `dispatch_quota`. If `cooldown_until` is non-null, wait until that timestamp before starting the first wave.",
             "",
+            "`dispatch_quota.host_concurrency_limit` records any detected hard host cap that contributed to `wave_size`.",
+            "",
             "For each wave: use the `task` tool (or equivalent subagent dispatch) to launch up to `wave_size` subagents in parallel (one per entry), wait for all to finish, then start the next wave.",
             "",
             "**Fallback — if auditor MCP tools are not available:** Read both of these files:",
@@ -1134,6 +1142,7 @@ async function cmdNextStep(argv) {
     const hostCanRestrictSubagentTools = getOptionalBooleanFlag(argv, "--host-can-restrict-subagent-tools") ??
         false;
     const hostCanSelectSubagentModel = getOptionalBooleanFlag(argv, "--host-can-select-subagent-model") ?? false;
+    const hostMaxActiveSubagents = getHostMaxActiveSubagents(argv);
     let sessionConfig;
     try {
         sessionConfig = await loadSessionConfig(artifactsDir);
@@ -1260,6 +1269,7 @@ async function cmdNextStep(argv) {
         runId: result.activeReviewRun.run_id,
         artifactsDir,
         root,
+        hostActiveSubagentLimit: hostMaxActiveSubagents,
     });
     const mergeCommand = mergeAndIngestCommand(artifactsDir, result.activeReviewRun.run_id);
     const continueCommand = nextStepCommand(root, artifactsDir);
@@ -2488,6 +2498,10 @@ async function prepareDispatchArtifacts(params) {
     const quotaProviderKey = buildProviderModelKey(quotaProviderName, hostModel);
     const quotaState = await readQuotaState().catch(() => ({ version: 1, entries: {} }));
     const quotaStateEntry = quotaState.entries[quotaProviderKey] ?? null;
+    const hostConcurrencyLimit = resolveHostActiveSubagentLimit({
+        explicitLimit: params.hostActiveSubagentLimit,
+        sessionConfig,
+    });
     const waveSchedule = scheduleWave({
         providerName: quotaProviderName,
         sessionConfig,
@@ -2495,6 +2509,7 @@ async function prepareDispatchArtifacts(params) {
         requestedConcurrency: sessionConfig.parallel_workers ?? plan.length,
         estimatedPacketTokens: avgPacketTokens,
         quotaStateEntry,
+        hostConcurrencyLimit,
     });
     const dispatchQuota = {
         contract_version: "audit-code-dispatch-quota/v1alpha1",
@@ -2503,6 +2518,7 @@ async function prepareDispatchArtifacts(params) {
         resolved_limits: waveSchedule.resolved_limits,
         confidence: waveSchedule.confidence,
         source: waveSchedule.source,
+        host_concurrency_limit: waveSchedule.host_concurrency_limit,
         wave_size: waveSchedule.wave_size,
         estimated_wave_tokens: waveSchedule.estimated_wave_tokens,
         cooldown_until: waveSchedule.cooldown_until,
@@ -2558,6 +2574,7 @@ async function cmdPrepareDispatch(argv) {
         artifactsDir: getArtifactsDir(argv),
         root: getFlag(argv, "--root") ? getRootDir(argv) : undefined,
         hostModel: getHostModel(argv),
+        hostActiveSubagentLimit: getHostMaxActiveSubagents(argv),
     });
     console.log(JSON.stringify(result, null, 2));
 }
@@ -3234,12 +3251,17 @@ async function cmdQuota(argv) {
     const quotaState = await readQuotaState().catch(() => ({ version: 1, entries: {} }));
     const quotaStateEntry = quotaState.entries[providerModelKey] ?? null;
     const halfLifeHours = sessionConfig.quota?.empirical_half_life_hours ?? 24;
+    const hostConcurrencyLimit = resolveHostActiveSubagentLimit({
+        explicitLimit: getHostMaxActiveSubagents(argv),
+        sessionConfig,
+    });
     const waveSchedule = scheduleWave({
         providerName,
         sessionConfig,
         hostModel,
         requestedConcurrency: sessionConfig.parallel_workers ?? 1,
         quotaStateEntry,
+        hostConcurrencyLimit,
     });
     console.log(JSON.stringify({
         provider: providerName,
@@ -3248,6 +3270,7 @@ async function cmdQuota(argv) {
         resolved_limits: limits,
         confidence,
         source,
+        host_concurrency_limit: hostConcurrencyLimit,
         probe: probeResult,
         learned_caps: quotaStateEntry
             ? {

package/dist/mcp/server.js

@@ -364,6 +364,10 @@ async function handleToolCall(name, params, defaults) {
             if (canSelect !== undefined) {
                 extraArgs.push("--host-can-select-subagent-model", String(Boolean(canSelect)));
             }
+            const maxActiveSubagents = params?.max_active_subagents ?? params?.maxActiveSubagents;
+            if (maxActiveSubagents !== undefined) {
+                extraArgs.push("--host-max-active-subagents", String(maxActiveSubagents));
+            }
             return toolResult(await runContinueAudit(context, ["next-step", ...extraArgs]));
         }
         default:
@@ -522,6 +526,11 @@ function toolDefinitions() {
                         type: "boolean",
                         description: "Whether this host can select a model per subagent.",
                     },
+                    max_active_subagents: {
+                        type: "integer",
+                        minimum: 1,
+                        description: "Known hard cap on simultaneously active subagents for this host, if available.",
+                    },
                     root: { type: "string", description: "Repository root override." },
                     artifacts_dir: {
                         type: "string",

package/dist/quota/hostLimits.d.ts

@@ -0,0 +1,8 @@
+import type { SessionConfig } from "../types/sessionConfig.js";
+import type { HostConcurrencyLimit } from "./types.js";
+export declare function detectHostActiveSubagentLimit(env?: NodeJS.ProcessEnv): HostConcurrencyLimit | null;
+export declare function resolveHostActiveSubagentLimit(options: {
+    explicitLimit?: number | null;
+    sessionConfig: SessionConfig;
+    env?: NodeJS.ProcessEnv;
+}): HostConcurrencyLimit | null;

package/dist/quota/hostLimits.js

@@ -0,0 +1,50 @@
+const CODEX_DESKTOP_ACTIVE_SUBAGENT_LIMIT = 6;
+function parsePositiveInteger(value) {
+    if (typeof value === "number") {
+        return Number.isInteger(value) && value > 0 ? value : null;
+    }
+    if (typeof value !== "string")
+        return null;
+    const trimmed = value.trim();
+    if (!/^\d+$/.test(trimmed))
+        return null;
+    const parsed = Number(trimmed);
+    return Number.isSafeInteger(parsed) && parsed > 0 ? parsed : null;
+}
+export function detectHostActiveSubagentLimit(env = process.env) {
+    const explicitEnvLimit = parsePositiveInteger(env.AUDIT_CODE_HOST_MAX_ACTIVE_SUBAGENTS ??
+        env.CODEX_MAX_ACTIVE_SUBAGENTS);
+    if (explicitEnvLimit !== null) {
+        return {
+            active_subagents: explicitEnvLimit,
+            source: "environment",
+            description: "Host active subagent limit from environment.",
+        };
+    }
+    if (env.CODEX_INTERNAL_ORIGINATOR_OVERRIDE === "Codex Desktop") {
+        return {
+            active_subagents: CODEX_DESKTOP_ACTIVE_SUBAGENT_LIMIT,
+            source: "environment",
+            description: "Codex Desktop active subagent limit.",
+        };
+    }
+    return null;
+}
+export function resolveHostActiveSubagentLimit(options) {
+    if (options.explicitLimit !== undefined && options.explicitLimit !== null) {
+        return {
+            active_subagents: options.explicitLimit,
+            source: "cli_flags",
+            description: "Host active subagent limit reported by the conversation host.",
+        };
+    }
+    const configuredLimit = parsePositiveInteger(options.sessionConfig.quota?.host_active_subagent_limit);
+    if (configuredLimit !== null) {
+        return {
+            active_subagents: configuredLimit,
+            source: "session_config",
+            description: "Host active subagent limit from session-config quota settings.",
+        };
+    }
+    return detectHostActiveSubagentLimit(options.env);
+}

package/dist/quota/index.d.ts

@@ -1,8 +1,9 @@
 export { resolveLimits, lookupKnownModel, classifyProvider } from "./limits.js";
 export type { LimitResolutionResult, ResolveLimitsOptions, ProviderType } from "./limits.js";
+export { detectHostActiveSubagentLimit, resolveHostActiveSubagentLimit, } from "./hostLimits.js";
 export { readQuotaState, writeQuotaState, computeMaxSafeConcurrency, recordWaveOutcome, getQuotaStatePath, decayWeight, applyDecayToEntry, } from "./state.js";
 export { scheduleWave, buildProviderModelKey } from "./scheduler.js";
 export type { ScheduleWaveOptions } from "./scheduler.js";
 export { probeProvider } from "./probe.js";
 export type { ProbeResult } from "./probe.js";
-export type { ResolvedLimits, LimitSource, LimitConfidence, QuotaState, QuotaStateEntry, ConcurrencyBucket, WaveSchedule, DispatchQuota, ObservedWaveOutcome, } from "./types.js";
+export type { ResolvedLimits, LimitSource, LimitConfidence, HostConcurrencyLimit, HostConcurrencyLimitSource, QuotaState, QuotaStateEntry, ConcurrencyBucket, WaveSchedule, DispatchQuota, ObservedWaveOutcome, } from "./types.js";

package/dist/quota/index.js

@@ -1,4 +1,5 @@
 export { resolveLimits, lookupKnownModel, classifyProvider } from "./limits.js";
+export { detectHostActiveSubagentLimit, resolveHostActiveSubagentLimit, } from "./hostLimits.js";
 export { readQuotaState, writeQuotaState, computeMaxSafeConcurrency, recordWaveOutcome, getQuotaStatePath, decayWeight, applyDecayToEntry, } from "./state.js";
 export { scheduleWave, buildProviderModelKey } from "./scheduler.js";
 export { probeProvider } from "./probe.js";

package/dist/quota/scheduler.d.ts

@@ -1,5 +1,5 @@
 import type { ResolvedProviderName, SessionConfig } from "../types/sessionConfig.js";
-import type { QuotaStateEntry, WaveSchedule } from "./types.js";
+import type { HostConcurrencyLimit, QuotaStateEntry, WaveSchedule } from "./types.js";
 export interface ScheduleWaveOptions {
     providerName: ResolvedProviderName;
     sessionConfig: SessionConfig;
@@ -8,6 +8,7 @@ export interface ScheduleWaveOptions {
     /** Average estimated tokens per packet/worker. Used for TPM budget. */
     estimatedPacketTokens?: number;
     quotaStateEntry?: QuotaStateEntry | null;
+    hostConcurrencyLimit?: HostConcurrencyLimit | null;
 }
 export declare function scheduleWave(options: ScheduleWaveOptions): WaveSchedule;
 /** Build the state key used for indexing quota-state.json entries. */

package/dist/quota/scheduler.js

@@ -1,9 +1,15 @@
 import { resolveLimits } from "./limits.js";
 import { computeMaxSafeConcurrency } from "./state.js";
 export function scheduleWave(options) {
-    const { providerName, sessionConfig, hostModel, requestedConcurrency, estimatedPacketTokens = 0, quotaStateEntry = null, } = options;
+    const { providerName, sessionConfig, hostModel, requestedConcurrency, estimatedPacketTokens = 0, quotaStateEntry = null, hostConcurrencyLimit = null, } = options;
     const quota = sessionConfig.quota ?? {};
+    const applyHostConcurrencyLimit = (waveSize) => {
+        if (hostConcurrencyLimit === null)
+            return waveSize;
+        return Math.min(waveSize, hostConcurrencyLimit.active_subagents);
+    };
     if (quota.enabled === false) {
+        const waveSize = Math.max(1, applyHostConcurrencyLimit(requestedConcurrency));
         const limits = {
             context_tokens: quota.default_context_tokens ?? 32_000,
             output_tokens: quota.reserved_output_tokens ?? 4_096,
@@ -12,12 +18,13 @@ export function scheduleWave(options) {
             output_tokens_per_minute: null,
         };
         return {
-            wave_size: requestedConcurrency,
-            estimated_wave_tokens: requestedConcurrency * estimatedPacketTokens,
+            wave_size: waveSize,
+            estimated_wave_tokens: waveSize * estimatedPacketTokens,
             cooldown_until: null,
             confidence: "high",
             source: "default",
             resolved_limits: limits,
+            host_concurrency_limit: hostConcurrencyLimit,
             model: hostModel,
         };
     }
@@ -51,6 +58,7 @@ export function scheduleWave(options) {
         }
         // No learned data: use requestedConcurrency and let 429 outcomes train the cap
     }
+    waveSize = applyHostConcurrencyLimit(waveSize);
     waveSize = Math.max(1, waveSize);
     return {
         wave_size: waveSize,
@@ -59,6 +67,7 @@ export function scheduleWave(options) {
         confidence,
         source,
         resolved_limits: limits,
+        host_concurrency_limit: hostConcurrencyLimit,
         model: hostModel,
     };
 }

package/dist/quota/types.d.ts

@@ -1,5 +1,11 @@
 export type LimitSource = "explicit_config" | "cli_flags" | "known_metadata" | "learned" | "default";
 export type LimitConfidence = "high" | "medium" | "low";
+export type HostConcurrencyLimitSource = "cli_flags" | "session_config" | "environment";
+export interface HostConcurrencyLimit {
+    active_subagents: number;
+    source: HostConcurrencyLimitSource;
+    description: string;
+}
 export interface ResolvedLimits {
     context_tokens: number;
     output_tokens: number;
@@ -28,6 +34,7 @@ export interface WaveSchedule {
     confidence: LimitConfidence;
     source: LimitSource;
     resolved_limits: ResolvedLimits;
+    host_concurrency_limit: HostConcurrencyLimit | null;
     model: string | null;
 }
 export interface DispatchQuota {
@@ -37,6 +44,7 @@ export interface DispatchQuota {
     resolved_limits: ResolvedLimits;
     confidence: LimitConfidence;
     source: LimitSource;
+    host_concurrency_limit: HostConcurrencyLimit | null;
     wave_size: number;
     estimated_wave_tokens: number;
     cooldown_until: string | null;

package/dist/reporting/mergeFindings.js

@@ -1,6 +1,35 @@
 function normalizeText(value) {
     return (value ?? "").trim().toLowerCase();
 }
+function wordSet(text) {
+    return new Set(text
+        .toLowerCase()
+        .replace(/[^a-z0-9\s]/g, " ")
+        .split(/\s+/)
+        .filter(Boolean));
+}
+function wordJaccard(a, b) {
+    const sa = wordSet(a);
+    const sb = wordSet(b);
+    let intersection = 0;
+    for (const w of sa) {
+        if (sb.has(w))
+            intersection++;
+    }
+    const union = sa.size + sb.size - intersection;
+    return union === 0 ? 0 : intersection / union;
+}
+function filePathOverlap(a, b) {
+    const setA = new Set(a.affected_files.map((f) => f.path));
+    const setB = new Set(b.affected_files.map((f) => f.path));
+    let intersection = 0;
+    for (const path of setA) {
+        if (setB.has(path))
+            intersection++;
+    }
+    const union = setA.size + setB.size - intersection;
+    return union === 0 ? 0 : intersection / union;
+}
 function primaryPath(finding) {
     return finding.affected_files[0]?.path ?? "";
 }
@@ -63,6 +92,62 @@ function mergeAffectedFiles(existing, incoming) {
     }
     existing.affected_files.sort((a, b) => a.path.localeCompare(b.path) || (a.line_start ?? 0) - (b.line_start ?? 0));
 }
+function deduplicateCrossLens(findings) {
+    const groups = new Map();
+    for (const finding of findings) {
+        const key = primaryPath(finding);
+        const group = groups.get(key);
+        if (group) {
+            group.push(finding);
+        }
+        else {
+            groups.set(key, [finding]);
+        }
+    }
+    const removed = new Set();
+    for (const group of groups.values()) {
+        if (group.length < 2)
+            continue;
+        for (let i = 0; i < group.length; i++) {
+            if (removed.has(group[i]))
+                continue;
+            for (let j = i + 1; j < group.length; j++) {
+                if (removed.has(group[j]))
+                    continue;
+                const a = group[i];
+                const b = group[j];
+                if (normalizeText(a.lens) === normalizeText(b.lens))
+                    continue;
+                const titleSim = wordJaccard(a.title, b.title);
+                const catMatch = normalizeText(a.category) === normalizeText(b.category);
+                const threshold = catMatch ? 0.4 : 0.5;
+                if (titleSim < threshold)
+                    continue;
+                if (filePathOverlap(a, b) < 0.5)
+                    continue;
+                const aSev = severityRank(a.severity);
+                const bSev = severityRank(b.severity);
+                const aConf = confidenceRank(a.confidence);
+                const bConf = confidenceRank(b.confidence);
+                const keepA = aSev > bSev || (aSev === bSev && aConf >= bConf);
+                const [survivor, absorbed] = keepA ? [a, b] : [b, a];
+                mergeAffectedFiles(survivor, absorbed);
+                survivor.evidence = [
+                    ...new Set([
+                        ...(survivor.evidence ?? []),
+                        ...(absorbed.evidence ?? []),
+                    ]),
+                ];
+                survivor.systemic = Boolean(survivor.systemic || absorbed.systemic);
+                if (absorbed.summary.length > survivor.summary.length) {
+                    survivor.summary = absorbed.summary;
+                }
+                removed.add(absorbed);
+            }
+        }
+    }
+    return findings.filter((f) => !removed.has(f));
+}
 export function mergeFindings(results, runtimeReport, externalAnalyzerResults) {
     const merged = new Map();
     const runtimeEvidence = runtimeSummary(runtimeReport);
@@ -109,7 +194,7 @@ export function mergeFindings(results, runtimeReport, externalAnalyzerResults) {
             ];
         }
     }
-    return [...merged.values()].sort((a, b) => {
+    return deduplicateCrossLens([...merged.values()]).sort((a, b) => {
         const severityDelta = severityRank(b.severity) - severityRank(a.severity);
         if (severityDelta !== 0)
             return severityDelta;

package/dist/types/sessionConfig.d.ts

@@ -44,6 +44,8 @@ export interface QuotaConfig {
     reserved_output_tokens?: number;
     /** Half-life of empirical success/failure evidence in hours (default: 24). */
     empirical_half_life_hours?: number;
+    /** Hard host ceiling for simultaneously active conversation subagents. */
+    host_active_subagent_limit?: number;
     /** Per-model overrides keyed by "provider/model". */
     models?: Record<string, QuotaModelLimits>;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auditor-lambda",
-  "version": "0.3.27",
+  "version": "0.3.29",
   "private": false,
   "description": "Portable hybrid code-auditing framework for arbitrary repositories.",
   "type": "module",

package/schemas/dispatch_quota.schema.json

@@ -11,6 +11,7 @@
     "resolved_limits",
     "confidence",
     "source",
+    "host_concurrency_limit",
     "wave_size",
     "estimated_wave_tokens",
     "cooldown_until"
@@ -58,6 +59,30 @@
       "enum": ["explicit_config", "cli_flags", "known_metadata", "learned", "default"],
       "description": "Where the resolved limits came from."
     },
+    "host_concurrency_limit": {
+      "type": ["object", "null"],
+      "description": "A hard host ceiling on simultaneously active subagents, if detected or reported.",
+      "required": [
+        "active_subagents",
+        "source",
+        "description"
+      ],
+      "additionalProperties": false,
+      "properties": {
+        "active_subagents": {
+          "type": "integer",
+          "minimum": 1
+        },
+        "source": {
+          "type": "string",
+          "enum": ["cli_flags", "session_config", "environment"]
+        },
+        "description": {
+          "type": "string",
+          "minLength": 1
+        }
+      }
+    },
     "wave_size": {
       "type": "integer",
       "minimum": 1,