npm - auditor-lambda - Versions diffs - 0.3.34 → 0.3.36 - Mend

auditor-lambda 0.3.34 → 0.3.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/cli.js +13 -0
package/dist/orchestrator/selectiveDeepening.d.ts +2 -0
package/dist/orchestrator/selectiveDeepening.js +10 -1
package/dist/orchestrator/state.js +2 -17
package/dist/providers/opencodeProvider.js +23 -3
package/dist/providers/spawnLoggedCommand.js +0 -5
package/dist/reporting/mergeFindings.js +115 -23
package/package.json +1 -1

package/dist/cli.js CHANGED Viewed

@@ -1282,12 +1282,25 @@ async function cmdRunToCompletion(argv) {
     let pendingRuntimeUpdatesPath = getFlag(argv, "--updates");
     let pendingExternalAnalyzerPath = getFlag(argv, "--external-analyzer-results");
     let runCount = 0;
+    let deepeningCycles = 0;
+    const MAX_DEEPENING_CYCLES = 3;
     let anyProgress = false;
     let lastResult = null;
     const artifactsWritten = new Set();
     while (runCount < maxRuns) {
         const bundle = await loadArtifactBundle(artifactsDir);
         const decision = decideNextStep(bundle);
+        if (decision.selected_executor === "agent" &&
+            bundle.audit_tasks?.some((t) => t.tags?.includes("selective_deepening") &&
+                t.status !== "complete") &&
+            !bundle.audit_tasks?.some((t) => !t.tags?.includes("selective_deepening") &&
+                t.status !== "complete")) {
+            deepeningCycles++;
+            if (deepeningCycles > MAX_DEEPENING_CYCLES) {
+                process.stderr.write(`[audit-code] Reached max deepening cycles (${MAX_DEEPENING_CYCLES}). Stopping to prevent churn.\n`);
+                break;
+            }
+        }
         let preferredExecutor = decision.selected_executor;
         let obligationId = decision.selected_obligation;
         let auditResultsPath;

package/dist/orchestrator/selectiveDeepening.d.ts CHANGED Viewed

@@ -9,10 +9,12 @@ export interface BuildSelectiveDeepeningTaskOptions {
     runtimeValidationReport?: RuntimeValidationReport;
     externalAnalyzerResults?: ExternalAnalyzerResults;
     maxTasks?: number;
+    maxTotalDeepeningTasks?: number;
 }
 export declare function buildSelectiveDeepeningTasks(options: BuildSelectiveDeepeningTaskOptions): AuditTask[];
 export declare const selectiveDeepeningTestUtils: {
     DEEPENING_TAG: string;
     LENS_VERIFICATION_TAG: string;
     LENS_VERIFICATION_FOLLOWUP_TAG: string;
+    DEFAULT_MAX_TOTAL_DEEPENING_TASKS: number;
 };

package/dist/orchestrator/selectiveDeepening.js CHANGED Viewed

@@ -1,5 +1,6 @@
 import { createHash } from "node:crypto";
 const DEFAULT_MAX_DEEPENING_TASKS = 6;
+const DEFAULT_MAX_TOTAL_DEEPENING_TASKS = 24;
 const DEEPENING_TAG = "selective_deepening";
 const LENS_VERIFICATION_TAG = "lens_verification";
 const LENS_VERIFICATION_FOLLOWUP_TAG = "lens_verification_followup";
@@ -649,9 +650,16 @@ export function buildSelectiveDeepeningTasks(options) {
     const existingTasks = options.existingTasks ?? [];
     const existingIds = new Set(taskById.keys());
     const maxTasks = options.maxTasks ?? DEFAULT_MAX_DEEPENING_TASKS;
+    const maxTotalDeepeningTasks = options.maxTotalDeepeningTasks ?? DEFAULT_MAX_TOTAL_DEEPENING_TASKS;
+    const existingDeepeningCount = existingTasks.filter((task) => isDeepeningTask(task)).length;
+    if (existingDeepeningCount >= maxTotalDeepeningTasks) {
+        return [];
+    }
+    const remainingBudget = maxTotalDeepeningTasks - existingDeepeningCount;
+    const effectiveMax = Math.min(maxTasks, remainingBudget);
     const created = [];
     function pushIfNew(task) {
-        if (created.length >= maxTasks || existingIds.has(task.task_id)) {
+        if (created.length >= effectiveMax || existingIds.has(task.task_id)) {
             return;
         }
         existingIds.add(task.task_id);
@@ -748,4 +756,5 @@ export const selectiveDeepeningTestUtils = {
     DEEPENING_TAG,
     LENS_VERIFICATION_TAG,
     LENS_VERIFICATION_FOLLOWUP_TAG,
+    DEFAULT_MAX_TOTAL_DEEPENING_TASKS,
 };

package/dist/orchestrator/state.js CHANGED Viewed

@@ -42,31 +42,16 @@ export function deriveAuditState(bundle) {
         "audit_tasks.json",
         "requeue_tasks.json",
     ], planningReady)));
-    const hasRequiredCoverage = bundle.coverage_matrix?.files.every((f) => f.required_lenses.every((req) => f.completed_lenses.includes(req))) ?? true;
     const completedTaskIds = new Set((bundle.audit_results ?? []).map((result) => result.task_id));
     const hasPendingAuditTasks = bundle.audit_tasks?.some((task) => task.status !== "complete" && !completedTaskIds.has(task.task_id)) ?? false;
-    const hasCompletedTaskStatuses = bundle.audit_tasks?.length
-        ? bundle.audit_tasks.every((task) => task.status === "complete")
-        : false;
-    const hasResultForEveryTask = bundle.audit_tasks?.length && bundle.audit_results
-        ? bundle.audit_tasks.every((task) => bundle.audit_results?.some((result) => result.task_id === task.task_id))
-        : false;
     if (hasPendingAuditTasks) {
         obligations.push(obligation("audit_tasks_completed", "missing"));
     }
-    else if (!hasRequiredCoverage &&
-        !hasCompletedTaskStatuses &&
-        !hasResultForEveryTask &&
-        has(bundle.audit_tasks) &&
-        (bundle.audit_tasks?.length ?? 0) > 0) {
-        obligations.push(obligation("audit_tasks_completed", "missing"));
-    }
-    else if ((hasRequiredCoverage || hasCompletedTaskStatuses || hasResultForEveryTask) &&
-        has(bundle.audit_tasks)) {
+    else if (has(bundle.audit_tasks)) {
         obligations.push(obligation("audit_tasks_completed", "satisfied"));
     }
     obligations.push(obligation("audit_results_ingested", (bundle.audit_tasks?.length ?? 0) === 0 || has(bundle.audit_results)
-        ? "present"
+        ? "satisfied"
         : "missing"));
     const runtimeTasks = bundle.runtime_validation_tasks?.tasks ?? [];
     const runtimeResults = bundle.runtime_validation_report?.results ?? [];

package/dist/providers/opencodeProvider.js CHANGED Viewed

@@ -1,5 +1,24 @@
 import { readFile } from "node:fs/promises";
 import { spawnLoggedCommand } from "./spawnLoggedCommand.js";
+function resolveOpenCodeSpawnCommand(command, args, platform = process.platform, shellCommand = process.env.ComSpec ?? "cmd.exe") {
+    if (platform !== "win32") {
+        return { command, args };
+    }
+    const base = command.replace(/\.(cmd|bat|exe)$/i, "").toLowerCase();
+    if (base === "opencode" || base === "npx" || command.endsWith(".cmd")) {
+        return {
+            command: shellCommand,
+            args: ["/d", "/s", "/c", [command, ...args].map(quoteCmdArg).join(" ")],
+        };
+    }
+    return { command, args };
+}
+function quoteCmdArg(value) {
+    if (/^[A-Za-z0-9_./:=+-]+$/.test(value)) {
+        return value;
+    }
+    return `"${value.replace(/(["^&|<>%])/g, "^$1")}"`;
+}
 export class OpenCodeProvider {
     name = "opencode";
     config;
@@ -8,8 +27,9 @@ export class OpenCodeProvider {
     }
     async launch(input) {
         const prompt = await readFile(input.promptPath, "utf8");
-        const command = this.config.command ?? "opencode";
-        const args = ["run", prompt, ...(this.config.extra_args ?? [])];
-        return await spawnLoggedCommand(command, args, input);
+        const baseCommand = this.config.command ?? "opencode";
+        const baseArgs = ["run", prompt, ...(this.config.extra_args ?? [])];
+        const resolved = resolveOpenCodeSpawnCommand(baseCommand, baseArgs);
+        return await spawnLoggedCommand(resolved.command, resolved.args, input);
     }
 }

package/dist/providers/spawnLoggedCommand.js CHANGED Viewed

@@ -152,13 +152,8 @@ export async function spawnLoggedCommand(command, args, input, env, options = {}
         });
         spawnedChild.on("error", fail);
         spawnedChild.on("exit", (code, signal) => {
-            if (!timedOut) {
-                return;
-            }
-            childClosed = true;
             closeCode = code;
             closeSignal = signal;
-            maybeSettleFromClose();
         });
         spawnedChild.on("close", (code, signal) => {
             childClosed = true;

package/dist/reporting/mergeFindings.js CHANGED Viewed

@@ -92,6 +92,78 @@ function mergeAffectedFiles(existing, incoming) {
     }
     existing.affected_files.sort((a, b) => a.path.localeCompare(b.path) || (a.line_start ?? 0) - (b.line_start ?? 0));
 }
+function absorbFinding(survivor, absorbed) {
+    mergeAffectedFiles(survivor, absorbed);
+    survivor.evidence = [
+        ...new Set([
+            ...(survivor.evidence ?? []),
+            ...(absorbed.evidence ?? []),
+        ]),
+    ];
+    survivor.systemic = Boolean(survivor.systemic || absorbed.systemic);
+    if (absorbed.summary.length > survivor.summary.length) {
+        survivor.summary = absorbed.summary;
+    }
+}
+function lineRangeOverlaps(a, b) {
+    const aFile = a.affected_files[0];
+    const bFile = b.affected_files[0];
+    if (!aFile || !bFile)
+        return false;
+    if (aFile.path !== bFile.path)
+        return false;
+    const aStart = aFile.line_start ?? 0;
+    const aEnd = aFile.line_end ?? aStart;
+    const bStart = bFile.line_start ?? 0;
+    const bEnd = bFile.line_end ?? bStart;
+    if (aEnd === 0 && bEnd === 0)
+        return true;
+    return aStart <= bEnd && bStart <= aEnd;
+}
+function deduplicateSameLens(findings) {
+    const groups = new Map();
+    for (const finding of findings) {
+        const key = `${normalizeText(finding.lens)}:${primaryPath(finding)}`;
+        const group = groups.get(key);
+        if (group) {
+            group.push(finding);
+        }
+        else {
+            groups.set(key, [finding]);
+        }
+    }
+    const removed = new Set();
+    for (const group of groups.values()) {
+        if (group.length < 2)
+            continue;
+        for (let i = 0; i < group.length; i++) {
+            if (removed.has(group[i]))
+                continue;
+            for (let j = i + 1; j < group.length; j++) {
+                if (removed.has(group[j]))
+                    continue;
+                const a = group[i];
+                const b = group[j];
+                const titleSim = wordJaccard(a.title, b.title);
+                const catMatch = normalizeText(a.category) === normalizeText(b.category);
+                const threshold = catMatch ? 0.35 : 0.45;
+                if (titleSim < threshold)
+                    continue;
+                if (!lineRangeOverlaps(a, b) && filePathOverlap(a, b) < 0.5)
+                    continue;
+                const aSev = severityRank(a.severity);
+                const bSev = severityRank(b.severity);
+                const aConf = confidenceRank(a.confidence);
+                const bConf = confidenceRank(b.confidence);
+                const keepA = aSev > bSev || (aSev === bSev && aConf >= bConf);
+                const [survivor, absorbed] = keepA ? [a, b] : [b, a];
+                absorbFinding(survivor, absorbed);
+                removed.add(absorbed);
+            }
+        }
+    }
+    return findings.filter((f) => !removed.has(f));
+}
 function deduplicateCrossLens(findings) {
     const groups = new Map();
     for (const finding of findings) {
@@ -131,27 +203,41 @@ function deduplicateCrossLens(findings) {
                 const bConf = confidenceRank(b.confidence);
                 const keepA = aSev > bSev || (aSev === bSev && aConf >= bConf);
                 const [survivor, absorbed] = keepA ? [a, b] : [b, a];
-                mergeAffectedFiles(survivor, absorbed);
-                survivor.evidence = [
-                    ...new Set([
-                        ...(survivor.evidence ?? []),
-                        ...(absorbed.evidence ?? []),
-                    ]),
-                ];
-                survivor.systemic = Boolean(survivor.systemic || absorbed.systemic);
-                if (absorbed.summary.length > survivor.summary.length) {
-                    survivor.summary = absorbed.summary;
-                }
+                absorbFinding(survivor, absorbed);
                 removed.add(absorbed);
             }
         }
     }
     return findings.filter((f) => !removed.has(f));
 }
+function relevantRuntimeEvidence(finding, report) {
+    if (!report)
+        return [];
+    const findingPaths = new Set(finding.affected_files.map((f) => f.path));
+    return report.results
+        .filter((result) => result.status !== "pending")
+        .filter((result) => {
+        const taskPaths = result.notes
+            ?.flatMap((note) => {
+            const match = note.match(/Target paths:\s*(.+)/);
+            return match ? match[1].split(",").map((p) => p.trim()) : [];
+        }) ?? [];
+        if (taskPaths.length === 0)
+            return true;
+        return taskPaths.some((p) => findingPaths.has(p));
+    })
+        .map((result) => `${result.task_id}: ${result.status} — ${result.summary}`);
+}
+function relevantExternalEvidence(finding, results) {
+    if (!results)
+        return [];
+    const findingPaths = new Set(finding.affected_files.map((f) => f.path));
+    return results.results
+        .filter((item) => findingPaths.has(item.path))
+        .map((item) => `external:${results.tool}:${item.path}:${item.summary}`);
+}
 export function mergeFindings(results, runtimeReport, externalAnalyzerResults) {
     const merged = new Map();
-    const runtimeEvidence = runtimeSummary(runtimeReport);
-    const analyzerEvidence = externalSummary(externalAnalyzerResults);
     for (const result of results) {
         for (const finding of result.findings) {
             const key = findingKey(finding);
@@ -160,13 +246,7 @@ export function mergeFindings(results, runtimeReport, externalAnalyzerResults) {
                 merged.set(key, {
                     ...finding,
                     affected_files: [...finding.affected_files],
-                    evidence: [
-                        ...new Set([
-                            ...(finding.evidence ?? []),
-                            ...runtimeEvidence,
-                            ...analyzerEvidence,
-                        ]),
-                    ],
+                    evidence: [...(finding.evidence ?? [])],
                 });
                 continue;
             }
@@ -188,13 +268,25 @@ export function mergeFindings(results, runtimeReport, externalAnalyzerResults) {
                 ...new Set([
                     ...(existing.evidence ?? []),
                     ...(finding.evidence ?? []),
-                    ...runtimeEvidence,
-                    ...analyzerEvidence,
                 ]),
             ];
         }
     }
-    return deduplicateCrossLens([...merged.values()]).sort((a, b) => {
+    for (const finding of merged.values()) {
+        const runtimeEv = relevantRuntimeEvidence(finding, runtimeReport);
+        const externalEv = relevantExternalEvidence(finding, externalAnalyzerResults);
+        if (runtimeEv.length > 0 || externalEv.length > 0) {
+            finding.evidence = [
+                ...new Set([
+                    ...(finding.evidence ?? []),
+                    ...runtimeEv,
+                    ...externalEv,
+                ]),
+            ];
+        }
+    }
+    const dedupedSameLens = deduplicateSameLens([...merged.values()]);
+    return deduplicateCrossLens(dedupedSameLens).sort((a, b) => {
         const severityDelta = severityRank(b.severity) - severityRank(a.severity);
         if (severityDelta !== 0)
             return severityDelta;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "auditor-lambda",
-  "version": "0.3.34",
+  "version": "0.3.36",
   "private": false,
   "description": "Portable hybrid code-auditing framework for arbitrary repositories.",
   "type": "module",