auditor-lambda 0.3.30 → 0.3.33

package/dist/cli.js

@@ -87,6 +87,22 @@ function getOptionalBooleanFlag(argv, name) {
     }
     throw new Error(`${name} must be either true or false.`);
 }
+function optionalBooleanEnv(value) {
+    if (value === "true")
+        return true;
+    if (value === "false")
+        return false;
+    return undefined;
+}
+export function resolveHostDispatchCapability(options) {
+    if (options.explicit !== undefined) {
+        return options.explicit;
+    }
+    if (options.sessionConfig.host_can_dispatch_subagents !== undefined) {
+        return options.sessionConfig.host_can_dispatch_subagents;
+    }
+    return optionalBooleanEnv((options.env ?? process.env).AUDIT_CODE_HOST_CAN_DISPATCH) ?? false;
+}
 function toBase64Url(value) {
     return Buffer.from(value, "utf8").toString("base64url");
 }
@@ -112,6 +128,21 @@ function quoteCommandArg(value) {
 function renderCommand(argv) {
     return argv.map((item) => quoteCommandArg(item)).join(" ");
 }
+function summarizeLaunchExit(result) {
+    if (result.accepted !== false && !result.error) {
+        return null;
+    }
+    const parts = [
+        result.signal
+            ? `signal ${result.signal}`
+            : `exit code ${result.exitCode ?? "unknown"}`,
+        result.command ? `command: ${result.command}` : null,
+        result.stdoutPath ? `stdout: ${result.stdoutPath}` : null,
+        result.stderrPath ? `stderr: ${result.stderrPath}` : null,
+        result.error ?? null,
+    ].filter((part) => Boolean(part));
+    return parts.join("; ");
+}
 function taskResultPath(taskResultsDir, taskId) {
     return join(taskResultsDir, artifactNameForId(taskId, "json"));
 }
@@ -520,50 +551,6 @@ function mergeAndIngestCommand(artifactsDir, runId) {
         artifactsDir,
     ]);
 }
-function renderCapabilityCheckPrompt(params) {
-    const yesCommand = nextStepCommand(params.root, params.artifactsDir, [
-        "--host-can-dispatch-subagents",
-        "true",
-    ]);
-    const noCommand = nextStepCommand(params.root, params.artifactsDir, [
-        "--host-can-dispatch-subagents",
-        "false",
-    ]);
-    return [
-        "# audit-code capability check",
-        "",
-        "Decide one thing from the active toolset: does this host expose a callable subagent/delegation tool for source-code review, such as `task`, Agent, or an equivalent built-in subagent call?",
-        "",
-        "Do not run shell commands to answer this. Do not inspect packet prompts, schemas, or backend command catalogs.",
-        "",
-        "**If auditor MCP tools are available** (preferred — no shell required):",
-        "",
-        "Call `auditor_report_capability` with:",
-        "- `can_dispatch_subagents: true` if the `task` tool or equivalent subagent dispatch is available",
-        "- `can_dispatch_subagents: false` if not",
-        "- Optionally `can_restrict_subagent_tools: true` and/or `can_select_subagent_model: true`",
-        "- If the host documents or exposes a hard cap on simultaneously active subagents, include `max_active_subagents`.",
-        "",
-        "Read the `prompt_content` field in the tool response and follow it.",
-        "",
-        "**Fallback — if auditor MCP tools are not available:**",
-        "",
-        "If callable subagents are available, run:",
-        "",
-        `  ${yesCommand}`,
-        "",
-        "If callable subagents are not available, run:",
-        "",
-        `  ${noCommand}`,
-        "",
-        "If the host can also restrict tools per subagent or select models per subagent, add the matching `--host-can-restrict-subagent-tools true` or `--host-can-select-subagent-model true` flags to the same command. Omit those flags when unsure.",
-        "",
-        "If the host has a known active-subagent ceiling, add `--host-max-active-subagents <n>` to the same command. For Codex Desktop, use 6.",
-        "",
-        "After the command writes the next step, read and follow only its `prompt_path`.",
-        "",
-    ].join("\n");
-}
 function renderDispatchReviewPrompt(params) {
     const mergeCommand = mergeAndIngestCommand(params.artifactsDir, params.activeReviewRun.run_id);
     const continueCommand = nextStepCommand(params.root, params.artifactsDir);
@@ -573,32 +560,21 @@ function renderDispatchReviewPrompt(params) {
     const toolsLine = params.hostCanRestrictSubagentTools
         ? "Restrict review subagents to read/search plus the packet submit command named in their prompt. Do not give them source edit/write tools."
         : "Do not ask the user about per-subagent tool restrictions; this host did not report a callable restriction facility.";
-    const runId = params.activeReviewRun.run_id;
     const dispatchDataLines = params.dispatchQuotaPath
         ? [
-            "**If auditor MCP tools are available** (preferred):",
+            "Read these generated files unless the current tool response already included equivalent `dispatch_plan_entries` and `dispatch_quota` fields:",
             "",
-            "The dispatch plan entries are in the `dispatch_plan_entries` field of the tool response that returned this step. The wave schedule is in the `dispatch_quota` field.",
+            `  Dispatch plan:  ${params.dispatchPlanPath}`,
+            `  Dispatch quota: ${params.dispatchQuotaPath}`,
             "",
-            "Use the `wave_size` from `dispatch_quota`. If `cooldown_until` is non-null, wait until that timestamp before starting the first wave.",
+            "Use the `wave_size` from the quota data. If `cooldown_until` is non-null, wait until that timestamp before starting the first wave.",
             "",
-            "`dispatch_quota.host_concurrency_limit` records any detected hard host cap that contributed to `wave_size`.",
+            "`host_concurrency_limit` records any detected hard host cap that contributed to `wave_size`.",
             "",
             "For each wave: use the `task` tool (or equivalent subagent dispatch) to launch up to `wave_size` subagents in parallel (one per entry), wait for all to finish, then start the next wave.",
-            "",
-            "**Fallback — if auditor MCP tools are not available:** Read both of these files:",
-            "",
-            `  Dispatch plan:  ${params.dispatchPlanPath}`,
-            `  Dispatch quota: ${params.dispatchQuotaPath}`,
-            "",
-            "Apply the same wave logic from the quota file.",
         ]
         : [
-            "**If auditor MCP tools are available** (preferred):",
-            "",
-            "The dispatch plan entries are in the `dispatch_plan_entries` field of the tool response that returned this step.",
-            "",
-            "**Fallback — if auditor MCP tools are not available:** Read this dispatch plan JSON:",
+            "Read this generated dispatch plan unless the current tool response already included equivalent `dispatch_plan_entries`:",
             "",
             `  ${params.dispatchPlanPath}`,
             "",
@@ -622,9 +598,7 @@ function renderDispatchReviewPrompt(params) {
         "",
         "**After all waves complete:**",
         "",
-        "If auditor MCP tools are available, call `auditor_merge_and_ingest` with `{ run_id: \"" + runId + "\" }`, then call `auditor_continue_audit` and follow the `prompt_content` in the response.",
-        "",
-        "Fallback — if auditor MCP tools are not available, run exactly:",
+        "Run exactly:",
         "",
         `  ${mergeCommand}`,
         "",
@@ -1170,6 +1144,10 @@ async function cmdNextStep(argv) {
         console.log(JSON.stringify(step, null, 2));
         return;
     }
+    const hostCanDispatch = resolveHostDispatchCapability({
+        explicit: hostCanDispatchSubagents,
+        sessionConfig,
+    });
     const result = await runDeterministicForNextStep({
         root,
         artifactsDir,
@@ -1211,35 +1189,7 @@ async function cmdNextStep(argv) {
         console.log(JSON.stringify(step, null, 2));
         return;
     }
-    if (hostCanDispatchSubagents === undefined) {
-        const yesCommand = nextStepCommand(root, artifactsDir, [
-            "--host-can-dispatch-subagents",
-            "true",
-        ]);
-        const noCommand = nextStepCommand(root, artifactsDir, [
-            "--host-can-dispatch-subagents",
-            "false",
-        ]);
-        const step = await writeCurrentStep({
-            artifactsDir,
-            stepKind: "capability_check",
-            status: "ready",
-            runId: result.activeReviewRun.run_id,
-            allowedCommands: [yesCommand, noCommand],
-            stopCondition: "Run exactly one next-step command with an explicit host dispatch capability.",
-            repoRoot: root,
-            artifactPaths: {
-                active_review_task: result.activeReviewRun.task_path,
-                active_review_prompt: result.activeReviewRun.prompt_path,
-                pending_audit_tasks: result.activeReviewRun.pending_audit_tasks_path ?? null,
-                single_task_prompt: join(artifactsDir, "dispatch", "current-single-task-prompt.md"),
-            },
-            prompt: renderCapabilityCheckPrompt({ root, artifactsDir }),
-        });
-        console.log(JSON.stringify(step, null, 2));
-        return;
-    }
-    if (!hostCanDispatchSubagents) {
+    if (!hostCanDispatch) {
         const singleTaskPromptPath = join(artifactsDir, "dispatch", "current-single-task-prompt.md");
         const workerCommand = renderCommand(result.activeReviewRun.worker_command);
         const step = await writeCurrentStep({
@@ -1284,7 +1234,7 @@ async function cmdNextStep(argv) {
             mergeCommand,
             continueCommand,
         ],
-        stopCondition: "Dispatch every packet, call auditor_merge_and_ingest once, then call auditor_continue_audit.",
+        stopCondition: "Dispatch every packet, run merge-and-ingest once, then run next-step.",
         repoRoot: root,
         artifactPaths: {
             dispatch_plan: dispatch.dispatch_plan_path,
@@ -1548,6 +1498,12 @@ async function cmdRunToCompletion(argv) {
                         ? outcome.reason.message
                         : String(outcome.reason));
                 }
+                else if (outcome?.status === "fulfilled") {
+                    const launchExitSummary = summarizeLaunchExit(outcome.value);
+                    if (launchExitSummary) {
+                        launchErrorsByRunId.set(workerSlots[index].runId, launchExitSummary);
+                    }
+                }
             }
             // Result ingestion is intentionally sequential even though agent launch
             // was parallel. Writing to coverage_matrix.json is not atomic, so
@@ -1856,8 +1812,9 @@ async function cmdRunToCompletion(argv) {
         }
         const startedAt = new Date().toISOString();
         let workerResult;
+        let launchResult = null;
         try {
-            await provider.launch({
+            launchResult = await provider.launch({
                 repoRoot: root,
                 runId,
                 obligationId,
@@ -1870,9 +1827,12 @@ async function cmdRunToCompletion(argv) {
                 timeoutMs,
             });
             const candidate = await readJsonFile(paths.resultPath);
-            workerResult = isWorkerResult(candidate)
-                ? candidate
-                : {
+            if (isWorkerResult(candidate)) {
+                workerResult = candidate;
+            }
+            else {
+                const launchExitSummary = summarizeLaunchExit(launchResult);
+                workerResult = {
                     contract_version: WORKER_RESULT_CONTRACT_VERSION,
                     run_id: runId,
                     obligation_id: obligationId,
@@ -1880,13 +1840,17 @@ async function cmdRunToCompletion(argv) {
                     progress_made: false,
                     selected_executor: preferredExecutor,
                     artifacts_written: [],
-                    summary: "Worker did not emit a valid worker result.",
+                    summary: launchExitSummary
+                        ? `Worker did not emit a valid worker result after provider exit: ${launchExitSummary}`
+                        : "Worker did not emit a valid worker result.",
                     next_likely_step: decision.selected_obligation,
                     errors: ["Invalid worker result contract."],
                 };
+            }
         }
         catch (error) {
             const message = error instanceof Error ? error.message : String(error);
+            const launchExitSummary = launchResult && summarizeLaunchExit(launchResult);
             workerResult = {
                 contract_version: WORKER_RESULT_CONTRACT_VERSION,
                 run_id: runId,
@@ -1895,9 +1859,9 @@ async function cmdRunToCompletion(argv) {
                 progress_made: false,
                 selected_executor: preferredExecutor,
                 artifacts_written: [],
-                summary: `Worker launch failed for ${preferredExecutor}: ${message}`,
+                summary: `Worker launch failed for ${preferredExecutor}: ${launchExitSummary ?? message}`,
                 next_likely_step: decision.selected_obligation,
-                errors: [message],
+                errors: launchExitSummary ? [message, launchExitSummary] : [message],
             };
             await persistWorkerRunArtifacts(paths, workerResult, "provider-launch");
         }

package/dist/extractors/risk.js

@@ -1,3 +1,4 @@
+const MAX_RISK_SCORE = 10;
 export function buildRiskRegister(unitManifest, criticalFlows, externalAnalyzerResults) {
     const flowMap = new Map();
     for (const flow of criticalFlows?.flows ?? []) {
@@ -30,12 +31,13 @@ export function buildRiskRegister(unitManifest, criticalFlows, externalAnalyzerR
         if (externalHits > 0) {
             signals.push("external_analyzer_signal");
         }
+        const riskScore = (unit.risk_score ?? 0) +
+            flowHits +
+            externalHits +
+            (signals.includes("path_level_stateful_behavior") ? 1 : 0);
         return {
             unit_id: unit.unit_id,
-            risk_score: (unit.risk_score ?? 0) +
-                flowHits +
-                externalHits +
-                (signals.includes("path_level_stateful_behavior") ? 1 : 0),
+            risk_score: Math.min(MAX_RISK_SCORE, riskScore),
             signals,
             notes: [
                 "Initial heuristic risk scoring.",

package/dist/io/artifacts.d.ts

@@ -26,6 +26,7 @@ type ArtifactPayloadMap = {
     runtime_validation_tasks: RuntimeValidationTaskManifest;
     runtime_validation_report: RuntimeValidationReport;
     external_analyzer_results: ExternalAnalyzerResults;
+    syntax_resolution_status: unknown;
     audit_results: AuditResult[];
     audit_tasks: AuditTask[];
     audit_plan_metrics: AuditPlanMetrics;
@@ -63,6 +64,7 @@ export declare const ARTIFACT_DEFINITIONS: {
     readonly runtime_validation_tasks: ArtifactDefinition<"runtime_validation_tasks">;
     readonly runtime_validation_report: ArtifactDefinition<"runtime_validation_report">;
     readonly external_analyzer_results: ArtifactDefinition<"external_analyzer_results">;
+    readonly syntax_resolution_status: ArtifactDefinition<"syntax_resolution_status">;
     readonly audit_results: ArtifactDefinition<"audit_results">;
     readonly audit_tasks: ArtifactDefinition<"audit_tasks">;
     readonly audit_plan_metrics: ArtifactDefinition<"audit_plan_metrics">;

package/dist/io/artifacts.js

@@ -40,6 +40,7 @@ export const ARTIFACT_DEFINITIONS = {
     runtime_validation_tasks: jsonArtifact("runtime_validation_tasks.json", "execution"),
     runtime_validation_report: jsonArtifact("runtime_validation_report.json", "execution"),
     external_analyzer_results: jsonArtifact("external_analyzer_results.json", "execution"),
+    syntax_resolution_status: jsonArtifact("syntax_resolution_status.json", "execution"),
     audit_results: ndjsonArtifact("audit_results.jsonl", "execution"),
     audit_tasks: jsonArtifact("audit_tasks.json", "execution"),
     audit_plan_metrics: jsonArtifact("audit_plan_metrics.json", "execution"),

package/dist/io/toolingManifest.d.ts

@@ -1,2 +1,3 @@
 import type { ToolingManifest } from "../types/toolingManifest.js";
+export declare const TOOLING_INPUTS: readonly ["audit-code.mjs", "audit-code-wrapper-lib.mjs", "package.json", "dist", "schemas", "skills/audit-code"];
 export declare function buildToolingManifest(): Promise<ToolingManifest>;

package/dist/io/toolingManifest.js

@@ -3,7 +3,7 @@ import { readdir, readFile, stat } from "node:fs/promises";
 import { dirname, join, relative, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 const PACKAGE_ROOT = resolve(dirname(fileURLToPath(import.meta.url)), "..", "..");
-const TOOLING_INPUTS = [
+export const TOOLING_INPUTS = [
     "audit-code.mjs",
     "audit-code-wrapper-lib.mjs",
     "package.json",

package/dist/mcp/server.d.ts

@@ -1 +1,72 @@
+interface ServerOptions {
+    root: string;
+    artifactsDir: string;
+}
+interface JsonRpcRequest {
+    jsonrpc?: string;
+    id?: string | number | null;
+    method?: string;
+    params?: Record<string, unknown>;
+}
+interface JsonRpcResponse {
+    jsonrpc: "2.0";
+    id: string | number | null;
+    result?: unknown;
+    error?: {
+        code: number;
+        message: string;
+        data?: unknown;
+    };
+}
+interface ToolCallContext {
+    root: string;
+    artifactsDir: string;
+}
+export declare function parseContentLength(headerBlock: string): number;
+interface ResourceRegistryEntry {
+    uri: string;
+    name: string;
+    description: string;
+    mimeType: string;
+    read: (context: ToolCallContext) => Promise<{
+        mimeType: string;
+        text: string;
+    }>;
+}
+export declare const resourceRegistry: ResourceRegistryEntry[];
+interface PromptRegistryEntry {
+    name: string;
+    description: string;
+    arguments: Array<{
+        name: string;
+        required?: boolean;
+        description: string;
+    }>;
+    render: (args: Record<string, unknown> | undefined) => string;
+}
+export declare const promptRegistry: PromptRegistryEntry[];
+/**
+ * Extract zero or more complete Content-Length framed messages from a buffer.
+ * Returns an array of parsed body strings and the remaining unconsumed buffer.
+ * On framing errors, emits a framing error response via `emit` and resets the buffer.
+ */
+export declare function extractFrames(buffer: Buffer, emit: (response: JsonRpcResponse) => void): {
+    bodies: string[];
+    remaining: Buffer<ArrayBufferLike>;
+};
+interface DispatchContext {
+    version: string;
+    defaults: ServerOptions;
+    shutdownRequested: boolean;
+}
+/**
+ * Dispatch a single JSON-RPC request and return the response(s) to send,
+ * plus updated shutdown state.
+ */
+export declare function dispatchRequest(request: JsonRpcRequest, ctx: DispatchContext): Promise<{
+    responses: JsonRpcResponse[];
+    shutdownRequested: boolean;
+    exit?: number;
+}>;
 export declare function runAuditCodeMcpServer(argv: string[]): Promise<void>;
+export {};