auditor-lambda 0.3.33 → 0.3.36

package/dist/quota/index.js

@@ -1,5 +1,11 @@
 export { resolveLimits, lookupKnownModel, classifyProvider } from "./limits.js";
 export { detectHostActiveSubagentLimit, resolveHostActiveSubagentLimit, } from "./hostLimits.js";
-export { readQuotaState, writeQuotaState, computeMaxSafeConcurrency, recordWaveOutcome, getQuotaStatePath, decayWeight, applyDecayToEntry, } from "./state.js";
+export { readQuotaState, writeQuotaState, computeMaxSafeConcurrency, recordWaveOutcome, getQuotaStatePath, decayWeight, applyDecayToEntry, computeBackoffCooldownMs, computeBackoffFailureWeight, computeRampUpConcurrency, } from "./state.js";
 export { scheduleWave, buildProviderModelKey } from "./scheduler.js";
+export { detectRateLimitError, computeCooldownUntil } from "./errorParsing.js";
+export { acquireLock, releaseLock, withFileLock, FileLockTimeoutError } from "./fileLock.js";
+export { runSlidingWindow } from "./slidingWindow.js";
 export { probeProvider } from "./probe.js";
+export { GenericErrorParser, ClaudeCodeErrorParser, getErrorParserForProvider } from "./errorParsers/index.js";
+export { LearnedQuotaSource } from "./learnedQuotaSource.js";
+export { CompositeQuotaSource } from "./compositeQuotaSource.js";

package/dist/quota/learnedQuotaSource.d.ts

@@ -0,0 +1,7 @@
+import type { QuotaSource, QuotaUsageSnapshot } from "./quotaSource.js";
+export declare class LearnedQuotaSource implements QuotaSource {
+    readonly name = "learned";
+    private halfLifeHours;
+    constructor(halfLifeHours?: number);
+    queryCurrentUsage(providerModelKey: string): Promise<QuotaUsageSnapshot | null>;
+}

package/dist/quota/learnedQuotaSource.js

@@ -0,0 +1,25 @@
+import { readQuotaState, computeMaxSafeConcurrency } from "./state.js";
+export class LearnedQuotaSource {
+    name = "learned";
+    halfLifeHours;
+    constructor(halfLifeHours = 24) {
+        this.halfLifeHours = halfLifeHours;
+    }
+    async queryCurrentUsage(providerModelKey) {
+        const state = await readQuotaState();
+        const entry = state.entries[providerModelKey];
+        if (!entry)
+            return null;
+        const maxSafe = computeMaxSafeConcurrency(entry, this.halfLifeHours);
+        const isInCooldown = entry.cooldown_until != null &&
+            new Date(entry.cooldown_until).getTime() > Date.now();
+        return {
+            remaining_pct: isInCooldown ? 0 : null,
+            reset_at: isInCooldown ? entry.cooldown_until : null,
+            requests_remaining: maxSafe,
+            tokens_remaining: null,
+            captured_at: entry.updated_at,
+            source: "learned",
+        };
+    }
+}

package/dist/quota/probe.d.ts

@@ -5,9 +5,6 @@ export interface ProbeResult {
 /**
  * Probe a provider to discover its rate limits.
  *
- * Only subprocess-template supports direct probing since it is the only
- * provider where the auditor controls the API call. IDE providers
- * (claude-code, opencode) select the model internally; their limits come
- * from known-model metadata or learned behavior.
+ * @deprecated Phase 3A replaces this with the QuotaSource abstraction.
  */
 export declare function probeProvider(providerName: string, probeMode?: "auto" | "never" | "force"): Promise<ProbeResult>;

package/dist/quota/probe.js

@@ -1,10 +1,7 @@
 /**
  * Probe a provider to discover its rate limits.
  *
- * Only subprocess-template supports direct probing since it is the only
- * provider where the auditor controls the API call. IDE providers
- * (claude-code, opencode) select the model internally; their limits come
- * from known-model metadata or learned behavior.
+ * @deprecated Phase 3A replaces this with the QuotaSource abstraction.
  */
 export async function probeProvider(providerName, probeMode = "auto") {
     if (probeMode === "never") {

package/dist/quota/quotaSource.d.ts

@@ -0,0 +1,12 @@
+export interface QuotaUsageSnapshot {
+    remaining_pct: number | null;
+    reset_at: string | null;
+    requests_remaining: number | null;
+    tokens_remaining: number | null;
+    captured_at: string;
+    source: string;
+}
+export interface QuotaSource {
+    readonly name: string;
+    queryCurrentUsage(providerModelKey: string): Promise<QuotaUsageSnapshot | null>;
+}

package/dist/quota/quotaSource.js

@@ -0,0 +1 @@
+export {};

package/dist/quota/scheduler.d.ts

@@ -1,14 +1,18 @@
 import type { ResolvedProviderName, SessionConfig } from "../types/sessionConfig.js";
 import type { HostConcurrencyLimit, QuotaStateEntry, WaveSchedule } from "./types.js";
+import type { QuotaUsageSnapshot } from "./quotaSource.js";
 export interface ScheduleWaveOptions {
     providerName: ResolvedProviderName;
     sessionConfig: SessionConfig;
     hostModel: string | null;
     requestedConcurrency: number;
-    /** Average estimated tokens per packet/worker. Used for TPM budget. */
+    /** Per-slot estimated tokens (one entry per worker slot). Used for TPM budget. */
+    estimatedSlotTokens?: number[];
+    /** @deprecated Use estimatedSlotTokens instead. Average tokens per slot — used as fallback. */
     estimatedPacketTokens?: number;
     quotaStateEntry?: QuotaStateEntry | null;
     hostConcurrencyLimit?: HostConcurrencyLimit | null;
+    quotaSourceSnapshot?: QuotaUsageSnapshot | null;
 }
 export declare function scheduleWave(options: ScheduleWaveOptions): WaveSchedule;
 /** Build the state key used for indexing quota-state.json entries. */

package/dist/quota/scheduler.js

@@ -1,7 +1,20 @@
 import { classifyProvider, resolveLimits } from "./limits.js";
-import { computeMaxSafeConcurrency } from "./state.js";
+import { computeMaxSafeConcurrency, computeRampUpConcurrency } from "./state.js";
+function sumTopN(sorted, n) {
+    let sum = 0;
+    for (let i = 0; i < Math.min(n, sorted.length); i++)
+        sum += sorted[i];
+    return sum;
+}
 export function scheduleWave(options) {
-    const { providerName, sessionConfig, hostModel, requestedConcurrency, estimatedPacketTokens = 0, quotaStateEntry = null, hostConcurrencyLimit = null, } = options;
+    const { providerName, sessionConfig, hostModel, requestedConcurrency, estimatedSlotTokens, estimatedPacketTokens = 0, quotaStateEntry = null, hostConcurrencyLimit = null, quotaSourceSnapshot = null, } = options;
+    // Descending sort so sumTopN picks the largest slots
+    const slotsSorted = estimatedSlotTokens
+        ? [...estimatedSlotTokens].sort((a, b) => b - a)
+        : null;
+    const avgTokens = slotsSorted && slotsSorted.length > 0
+        ? Math.floor(slotsSorted.reduce((a, b) => a + b, 0) / slotsSorted.length)
+        : estimatedPacketTokens;
     const quota = sessionConfig.quota ?? {};
     const applyHostConcurrencyLimit = (waveSize) => {
         if (hostConcurrencyLimit === null)
@@ -19,7 +32,7 @@ export function scheduleWave(options) {
         };
         return {
             wave_size: waveSize,
-            estimated_wave_tokens: waveSize * estimatedPacketTokens,
+            estimated_wave_tokens: slotsSorted ? sumTopN(slotsSorted, waveSize) : waveSize * avgTokens,
             cooldown_until: null,
             confidence: "high",
             source: "default",
@@ -48,12 +61,25 @@ export function scheduleWave(options) {
             waveSize = Math.min(waveSize, rpmCap);
         }
         // Cap by input tokens-per-minute
-        if (limits.input_tokens_per_minute != null && estimatedPacketTokens > 0) {
-            const tpmCap = Math.max(1, Math.floor((limits.input_tokens_per_minute * safetyMargin) / estimatedPacketTokens));
-            waveSize = Math.min(waveSize, tpmCap);
+        if (limits.input_tokens_per_minute != null && avgTokens > 0) {
+            const tpmBudget = limits.input_tokens_per_minute * safetyMargin;
+            if (slotsSorted && slotsSorted.length > 0) {
+                let candidateSize = waveSize;
+                while (candidateSize > 1 && sumTopN(slotsSorted, candidateSize) > tpmBudget) {
+                    candidateSize--;
+                }
+                waveSize = Math.max(1, candidateSize);
+            }
+            else {
+                const tpmCap = Math.max(1, Math.floor(tpmBudget / avgTokens));
+                waveSize = Math.min(waveSize, tpmCap);
+            }
         }
         if (quotaStateEntry) {
-            const learnedCap = computeMaxSafeConcurrency(quotaStateEntry, halfLifeHours);
+            const rampUp = quota.ramp_up_enabled !== false;
+            const learnedCap = rampUp
+                ? computeRampUpConcurrency(quotaStateEntry, halfLifeHours)
+                : computeMaxSafeConcurrency(quotaStateEntry, halfLifeHours);
             waveSize = Math.min(waveSize, learnedCap);
         }
         else {
@@ -61,22 +87,38 @@ export function scheduleWave(options) {
             const fallbackCap = providerType === "local"
                 ? quota.unknown_local_concurrency
                 : (quota.unknown_hosted_concurrency ?? 1);
-            if (typeof fallbackCap === "number" && Number.isFinite(fallbackCap)) {
+            if (fallbackCap === "unlimited") {
+                // no cap — "unlimited" intentionally skips clamping
+            }
+            else if (typeof fallbackCap === "number" && Number.isFinite(fallbackCap)) {
                 waveSize = Math.min(waveSize, Math.max(1, Math.floor(fallbackCap)));
             }
         }
     }
+    // Apply real-time quota source data if available
+    if (quotaSourceSnapshot && !cooldownUntil) {
+        if (quotaSourceSnapshot.remaining_pct != null && quotaSourceSnapshot.remaining_pct < 0.1) {
+            waveSize = 1;
+            if (quotaSourceSnapshot.reset_at) {
+                cooldownUntil = quotaSourceSnapshot.reset_at;
+            }
+        }
+        else if (quotaSourceSnapshot.remaining_pct != null && quotaSourceSnapshot.remaining_pct < 0.3) {
+            waveSize = Math.min(waveSize, Math.max(1, Math.floor(waveSize * 0.5)));
+        }
+    }
     waveSize = applyHostConcurrencyLimit(waveSize);
     waveSize = Math.max(1, waveSize);
     return {
         wave_size: waveSize,
-        estimated_wave_tokens: waveSize * estimatedPacketTokens,
+        estimated_wave_tokens: slotsSorted ? sumTopN(slotsSorted, waveSize) : waveSize * avgTokens,
         cooldown_until: cooldownUntil,
         confidence,
         source,
         resolved_limits: limits,
         host_concurrency_limit: hostConcurrencyLimit,
         model: hostModel,
+        quota_source_snapshot: quotaSourceSnapshot,
     };
 }
 /** Build the state key used for indexing quota-state.json entries. */

package/dist/quota/slidingWindow.d.ts

@@ -0,0 +1,4 @@
+export interface SlidingWindowResult<T> {
+    results: PromiseSettledResult<T>[];
+}
+export declare function runSlidingWindow<T>(tasks: Array<() => Promise<T>>, concurrency: number, onComplete?: (index: number, result: PromiseSettledResult<T>) => void): Promise<SlidingWindowResult<T>>;

package/dist/quota/slidingWindow.js

@@ -0,0 +1,28 @@
+export async function runSlidingWindow(tasks, concurrency, onComplete) {
+    const results = new Array(tasks.length);
+    let nextIndex = 0;
+    async function runOne(index) {
+        let result;
+        try {
+            const value = await tasks[index]();
+            result = { status: "fulfilled", value };
+        }
+        catch (reason) {
+            result = { status: "rejected", reason };
+        }
+        results[index] = result;
+        onComplete?.(index, result);
+        if (nextIndex < tasks.length) {
+            const next = nextIndex++;
+            await runOne(next);
+        }
+    }
+    const initialBatch = Math.min(concurrency, tasks.length);
+    const runners = [];
+    for (let i = 0; i < initialBatch; i++) {
+        const idx = nextIndex++;
+        runners.push(runOne(idx));
+    }
+    await Promise.all(runners);
+    return { results };
+}

package/dist/quota/state.d.ts

@@ -9,4 +9,7 @@ export declare function writeQuotaState(state: QuotaState): Promise<void>;
  * exceeds failure evidence, with a minimum of 1.
  */
 export declare function computeMaxSafeConcurrency(entry: QuotaStateEntry, halfLifeHours: number, maxToCheck?: number): number;
+export declare function computeRampUpConcurrency(entry: QuotaStateEntry, halfLifeHours: number, maxToCheck?: number): number;
+export declare function computeBackoffCooldownMs(consecutive429Count: number): number;
+export declare function computeBackoffFailureWeight(consecutive429Count: number): number;
 export declare function recordWaveOutcome(providerModelKey: string, outcome: ObservedWaveOutcome, halfLifeHours: number): Promise<void>;

package/dist/quota/state.js

@@ -1,6 +1,7 @@
 import { mkdir, readFile, writeFile } from "node:fs/promises";
 import { homedir } from "node:os";
 import { join } from "node:path";
+import { withFileLock } from "./fileLock.js";
 const STATE_DIR = join(homedir(), ".audit-code");
 const STATE_PATH = join(STATE_DIR, "quota-state.json");
 // A bucket needs at least this much success weight before we trust it.
@@ -27,31 +28,38 @@ export function applyDecayToEntry(entry, halfLifeHours) {
     return { ...entry, buckets: decayed };
 }
 function isQuotaState(value) {
-    return (value !== null &&
-        typeof value === "object" &&
-        !Array.isArray(value) &&
-        value["version"] === 1 &&
-        typeof value["entries"] === "object");
+    if (value === null || typeof value !== "object" || Array.isArray(value))
+        return false;
+    const obj = value;
+    const version = obj["version"];
+    return (version === 1 || version === 2) && typeof obj["entries"] === "object";
 }
 export async function readQuotaState() {
     try {
         const raw = await readFile(STATE_PATH, "utf8");
         const parsed = JSON.parse(raw);
-        if (isQuotaState(parsed))
+        if (isQuotaState(parsed)) {
+            if (parsed.version === 1) {
+                for (const entry of Object.values(parsed.entries)) {
+                    entry.consecutive_429_count ??= 0;
+                }
+            }
             return parsed;
-        process.stderr.write(`[quota] ignoring invalid quota state at ${STATE_PATH}: expected { version: 1, entries: object }\n`);
+        }
+        process.stderr.write(`[quota] ignoring invalid quota state at ${STATE_PATH}: expected { version: 1|2, entries: object }\n`);
     }
     catch (error) {
         if (error.code === "ENOENT") {
-            return { version: 1, entries: {} };
+            return { version: 2, entries: {} };
         }
         process.stderr.write(`[quota] ignoring unreadable quota state at ${STATE_PATH}: ${error instanceof Error ? error.message : String(error)}\n`);
     }
-    return { version: 1, entries: {} };
+    return { version: 2, entries: {} };
 }
 export async function writeQuotaState(state) {
     await mkdir(STATE_DIR, { recursive: true });
-    await writeFile(STATE_PATH, JSON.stringify(state, null, 2) + "\n", "utf8");
+    const normalized = { ...state, version: 2 };
+    await writeFile(STATE_PATH, JSON.stringify(normalized, null, 2) + "\n", "utf8");
 }
 /**
  * Returns the highest concurrency level for which decayed success evidence
@@ -74,14 +82,39 @@ export function computeMaxSafeConcurrency(entry, halfLifeHours, maxToCheck = 32)
     }
     return maxSafe;
 }
+const RAMP_UP_MIN_SUCCESSES = 2;
+export function computeRampUpConcurrency(entry, halfLifeHours, maxToCheck = 32) {
+    const maxSafe = computeMaxSafeConcurrency(entry, halfLifeHours, maxToCheck);
+    const decayed = applyDecayToEntry(entry, halfLifeHours);
+    const bucket = decayed.buckets[String(maxSafe)];
+    if (bucket &&
+        bucket.success_weight >= RAMP_UP_MIN_SUCCESSES &&
+        bucket.failure_weight === 0) {
+        return maxSafe + 1;
+    }
+    return maxSafe;
+}
 function blankEntry() {
     return { updated_at: new Date().toISOString(), buckets: {}, cooldown_until: null, last_429_at: null };
 }
+const BASE_COOLDOWN_MS = 60_000;
+const MAX_COOLDOWN_MS = 15 * 60_000;
+export function computeBackoffCooldownMs(consecutive429Count) {
+    const ms = BASE_COOLDOWN_MS * Math.pow(2, Math.max(0, consecutive429Count - 1));
+    return Math.min(ms, MAX_COOLDOWN_MS);
+}
+export function computeBackoffFailureWeight(consecutive429Count) {
+    return 1.0 + 0.5 * Math.max(0, consecutive429Count - 1);
+}
+const LOCK_PATH = STATE_PATH + ".lock";
 export async function recordWaveOutcome(providerModelKey, outcome, halfLifeHours) {
+    await withFileLock(LOCK_PATH, () => recordWaveOutcomeUnsafe(providerModelKey, outcome, halfLifeHours));
+}
+async function recordWaveOutcomeUnsafe(providerModelKey, outcome, halfLifeHours) {
     const state = await readQuotaState();
     const entry = applyDecayToEntry(state.entries[providerModelKey] ?? blankEntry(), halfLifeHours);
     if (outcome.outcome === "success") {
-        // Success at N proves 1..N are all safe
+        entry.consecutive_429_count = 0;
         for (let n = 1; n <= outcome.concurrency; n++) {
             const bucket = entry.buckets[String(n)] ?? { success_weight: 0, failure_weight: 0 };
             bucket.success_weight += 1.0;
@@ -89,13 +122,23 @@ export async function recordWaveOutcome(providerModelKey, outcome, halfLifeHours
         }
     }
     else {
+        const prev429Count = entry.consecutive_429_count ?? 0;
+        const new429Count = outcome.outcome === "rate_limited" ? prev429Count + 1 : prev429Count;
+        entry.consecutive_429_count = new429Count;
         entry.last_429_at = new Date().toISOString();
-        if (outcome.cooldown_until)
+        if (outcome.outcome === "rate_limited" && new429Count > 0) {
+            const backoffMs = computeBackoffCooldownMs(new429Count);
+            entry.cooldown_until = new Date(Date.now() + backoffMs).toISOString();
+        }
+        else if (outcome.cooldown_until) {
             entry.cooldown_until = outcome.cooldown_until;
-        // Failure at N marks N and above as unsafe
+        }
+        const failureWeight = outcome.outcome === "rate_limited"
+            ? computeBackoffFailureWeight(new429Count)
+            : 1.0;
         for (let n = outcome.concurrency; n <= outcome.concurrency + 4; n++) {
             const bucket = entry.buckets[String(n)] ?? { success_weight: 0, failure_weight: 0 };
-            bucket.failure_weight += 1.0;
+            bucket.failure_weight += failureWeight;
             entry.buckets[String(n)] = bucket;
         }
     }

package/dist/quota/types.d.ts

@@ -22,9 +22,10 @@ export interface QuotaStateEntry {
     buckets: Record<string, ConcurrencyBucket>;
     cooldown_until: string | null;
     last_429_at: string | null;
+    consecutive_429_count?: number;
 }
 export interface QuotaState {
-    version: 1;
+    version: 1 | 2;
     entries: Record<string, QuotaStateEntry>;
 }
 export interface WaveSchedule {
@@ -36,9 +37,15 @@ export interface WaveSchedule {
     resolved_limits: ResolvedLimits;
     host_concurrency_limit: HostConcurrencyLimit | null;
     model: string | null;
+    quota_source_snapshot?: import("./quotaSource.js").QuotaUsageSnapshot | null;
+}
+export interface BackoffState {
+    consecutive_429_count: number;
+    current_cooldown_ms: number;
+    current_failure_weight: number;
 }
 export interface DispatchQuota {
-    contract_version: "audit-code-dispatch-quota/v1alpha1";
+    contract_version: "audit-code-dispatch-quota/v1alpha1" | "audit-code-dispatch-quota/v1alpha2";
     run_id: string;
     model: string | null;
     resolved_limits: ResolvedLimits;
@@ -48,6 +55,8 @@ export interface DispatchQuota {
     wave_size: number;
     estimated_wave_tokens: number;
     cooldown_until: string | null;
+    quota_source_snapshot?: import("./quotaSource.js").QuotaUsageSnapshot | null;
+    backoff_state?: BackoffState | null;
 }
 export interface ObservedWaveOutcome {
     concurrency: number;

package/dist/reporting/mergeFindings.js

@@ -92,6 +92,78 @@ function mergeAffectedFiles(existing, incoming) {
     }
     existing.affected_files.sort((a, b) => a.path.localeCompare(b.path) || (a.line_start ?? 0) - (b.line_start ?? 0));
 }
+function absorbFinding(survivor, absorbed) {
+    mergeAffectedFiles(survivor, absorbed);
+    survivor.evidence = [
+        ...new Set([
+            ...(survivor.evidence ?? []),
+            ...(absorbed.evidence ?? []),
+        ]),
+    ];
+    survivor.systemic = Boolean(survivor.systemic || absorbed.systemic);
+    if (absorbed.summary.length > survivor.summary.length) {
+        survivor.summary = absorbed.summary;
+    }
+}
+function lineRangeOverlaps(a, b) {
+    const aFile = a.affected_files[0];
+    const bFile = b.affected_files[0];
+    if (!aFile || !bFile)
+        return false;
+    if (aFile.path !== bFile.path)
+        return false;
+    const aStart = aFile.line_start ?? 0;
+    const aEnd = aFile.line_end ?? aStart;
+    const bStart = bFile.line_start ?? 0;
+    const bEnd = bFile.line_end ?? bStart;
+    if (aEnd === 0 && bEnd === 0)
+        return true;
+    return aStart <= bEnd && bStart <= aEnd;
+}
+function deduplicateSameLens(findings) {
+    const groups = new Map();
+    for (const finding of findings) {
+        const key = `${normalizeText(finding.lens)}:${primaryPath(finding)}`;
+        const group = groups.get(key);
+        if (group) {
+            group.push(finding);
+        }
+        else {
+            groups.set(key, [finding]);
+        }
+    }
+    const removed = new Set();
+    for (const group of groups.values()) {
+        if (group.length < 2)
+            continue;
+        for (let i = 0; i < group.length; i++) {
+            if (removed.has(group[i]))
+                continue;
+            for (let j = i + 1; j < group.length; j++) {
+                if (removed.has(group[j]))
+                    continue;
+                const a = group[i];
+                const b = group[j];
+                const titleSim = wordJaccard(a.title, b.title);
+                const catMatch = normalizeText(a.category) === normalizeText(b.category);
+                const threshold = catMatch ? 0.35 : 0.45;
+                if (titleSim < threshold)
+                    continue;
+                if (!lineRangeOverlaps(a, b) && filePathOverlap(a, b) < 0.5)
+                    continue;
+                const aSev = severityRank(a.severity);
+                const bSev = severityRank(b.severity);
+                const aConf = confidenceRank(a.confidence);
+                const bConf = confidenceRank(b.confidence);
+                const keepA = aSev > bSev || (aSev === bSev && aConf >= bConf);
+                const [survivor, absorbed] = keepA ? [a, b] : [b, a];
+                absorbFinding(survivor, absorbed);
+                removed.add(absorbed);
+            }
+        }
+    }
+    return findings.filter((f) => !removed.has(f));
+}
 function deduplicateCrossLens(findings) {
     const groups = new Map();
     for (const finding of findings) {
@@ -131,27 +203,41 @@ function deduplicateCrossLens(findings) {
                 const bConf = confidenceRank(b.confidence);
                 const keepA = aSev > bSev || (aSev === bSev && aConf >= bConf);
                 const [survivor, absorbed] = keepA ? [a, b] : [b, a];
-                mergeAffectedFiles(survivor, absorbed);
-                survivor.evidence = [
-                    ...new Set([
-                        ...(survivor.evidence ?? []),
-                        ...(absorbed.evidence ?? []),
-                    ]),
-                ];
-                survivor.systemic = Boolean(survivor.systemic || absorbed.systemic);
-                if (absorbed.summary.length > survivor.summary.length) {
-                    survivor.summary = absorbed.summary;
-                }
+                absorbFinding(survivor, absorbed);
                 removed.add(absorbed);
             }
         }
     }
     return findings.filter((f) => !removed.has(f));
 }
+function relevantRuntimeEvidence(finding, report) {
+    if (!report)
+        return [];
+    const findingPaths = new Set(finding.affected_files.map((f) => f.path));
+    return report.results
+        .filter((result) => result.status !== "pending")
+        .filter((result) => {
+        const taskPaths = result.notes
+            ?.flatMap((note) => {
+            const match = note.match(/Target paths:\s*(.+)/);
+            return match ? match[1].split(",").map((p) => p.trim()) : [];
+        }) ?? [];
+        if (taskPaths.length === 0)
+            return true;
+        return taskPaths.some((p) => findingPaths.has(p));
+    })
+        .map((result) => `${result.task_id}: ${result.status} — ${result.summary}`);
+}
+function relevantExternalEvidence(finding, results) {
+    if (!results)
+        return [];
+    const findingPaths = new Set(finding.affected_files.map((f) => f.path));
+    return results.results
+        .filter((item) => findingPaths.has(item.path))
+        .map((item) => `external:${results.tool}:${item.path}:${item.summary}`);
+}
 export function mergeFindings(results, runtimeReport, externalAnalyzerResults) {
     const merged = new Map();
-    const runtimeEvidence = runtimeSummary(runtimeReport);
-    const analyzerEvidence = externalSummary(externalAnalyzerResults);
     for (const result of results) {
         for (const finding of result.findings) {
             const key = findingKey(finding);
@@ -160,13 +246,7 @@ export function mergeFindings(results, runtimeReport, externalAnalyzerResults) {
                 merged.set(key, {
                     ...finding,
                     affected_files: [...finding.affected_files],
-                    evidence: [
-                        ...new Set([
-                            ...(finding.evidence ?? []),
-                            ...runtimeEvidence,
-                            ...analyzerEvidence,
-                        ]),
-                    ],
+                    evidence: [...(finding.evidence ?? [])],
                 });
                 continue;
             }
@@ -188,13 +268,25 @@ export function mergeFindings(results, runtimeReport, externalAnalyzerResults) {
                 ...new Set([
                     ...(existing.evidence ?? []),
                     ...(finding.evidence ?? []),
-                    ...runtimeEvidence,
-                    ...analyzerEvidence,
                 ]),
             ];
         }
     }
-    return deduplicateCrossLens([...merged.values()]).sort((a, b) => {
+    for (const finding of merged.values()) {
+        const runtimeEv = relevantRuntimeEvidence(finding, runtimeReport);
+        const externalEv = relevantExternalEvidence(finding, externalAnalyzerResults);
+        if (runtimeEv.length > 0 || externalEv.length > 0) {
+            finding.evidence = [
+                ...new Set([
+                    ...(finding.evidence ?? []),
+                    ...runtimeEv,
+                    ...externalEv,
+                ]),
+            ];
+        }
+    }
+    const dedupedSameLens = deduplicateSameLens([...merged.values()]);
+    return deduplicateCrossLens(dedupedSameLens).sort((a, b) => {
         const severityDelta = severityRank(b.severity) - severityRank(a.severity);
         if (severityDelta !== 0)
             return severityDelta;

package/dist/types/sessionConfig.d.ts

@@ -44,6 +44,8 @@ export interface QuotaConfig {
     reserved_output_tokens?: number;
     /** Half-life of empirical success/failure evidence in hours (default: 24). */
     empirical_half_life_hours?: number;
+    /** Allow the scheduler to try concurrency maxSafe+1 after consecutive successes (default: true). */
+    ramp_up_enabled?: boolean;
     /** Hard host ceiling for simultaneously active conversation subagents. */
     host_active_subagent_limit?: number;
     /** Per-model overrides keyed by "provider/model". */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auditor-lambda",
-  "version": "0.3.33",
+  "version": "0.3.36",
   "private": false,
   "description": "Portable hybrid code-auditing framework for arbitrary repositories.",
   "type": "module",

package/schemas/dispatch_quota.schema.json

@@ -1,6 +1,6 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
-  "$id": "audit-code-dispatch-quota/v1alpha1",
+  "$id": "audit-code-dispatch-quota/v1alpha2",
   "title": "DispatchQuota",
   "description": "Quota schedule for a prepare-dispatch run. Written beside dispatch-plan.json. Hosts must launch at most wave_size packets per wave, then re-read this file before the next wave to pick up any updated limits.",
   "type": "object",
@@ -20,7 +20,7 @@
   "properties": {
     "contract_version": {
       "type": "string",
-      "const": "audit-code-dispatch-quota/v1alpha1"
+      "enum": ["audit-code-dispatch-quota/v1alpha1", "audit-code-dispatch-quota/v1alpha2"]
     },
     "run_id": {
       "type": "string",
@@ -97,6 +97,27 @@
       "type": ["string", "null"],
       "format": "date-time",
       "description": "If non-null, the host should wait until this timestamp before launching the next wave."
+    },
+    "quota_source_snapshot": {
+      "type": ["object", "null"],
+      "description": "Real-time usage snapshot from a QuotaSource, if available.",
+      "properties": {
+        "remaining_pct": { "type": ["number", "null"] },
+        "reset_at": { "type": ["string", "null"], "format": "date-time" },
+        "requests_remaining": { "type": ["integer", "null"] },
+        "tokens_remaining": { "type": ["integer", "null"] },
+        "captured_at": { "type": "string", "format": "date-time" },
+        "source": { "type": "string" }
+      }
+    },
+    "backoff_state": {
+      "type": ["object", "null"],
+      "description": "Exponential backoff state for repeated rate-limit errors.",
+      "properties": {
+        "consecutive_429_count": { "type": "integer", "minimum": 0 },
+        "current_cooldown_ms": { "type": "integer", "minimum": 0 },
+        "current_failure_weight": { "type": "number", "minimum": 0 }
+      }
     }
   }
 }