auditor-lambda 0.3.4 → 0.3.6

package/dist/orchestrator/fileAnchors.d.ts

@@ -0,0 +1,32 @@
+import type { ExternalAnalyzerResults } from "../types/externalAnalyzer.js";
+import type { GraphBundle } from "../types/graph.js";
+export type FileAnchorKind = "boundary" | "import" | "export" | "symbol" | "route" | "keyword" | "graph" | "analyzer_signal";
+export interface FileAnchor {
+    kind: FileAnchorKind;
+    name: string;
+    line?: number;
+    detail?: string;
+}
+export interface FileAnchorSummary {
+    contract_version: "audit-code-file-anchors/v1alpha1";
+    path: string;
+    total_lines: number;
+    review_mode: "isolated_large_file";
+    scope_basis: string[];
+    anchors: FileAnchor[];
+    omitted_anchor_count: number;
+    counts: {
+        symbols: number;
+        routes: number;
+        keywords: number;
+        graph_edges: number;
+        analyzer_signals: number;
+    };
+}
+export declare function buildFileAnchorSummary(params: {
+    path: string;
+    content: string;
+    totalLines: number;
+    graphBundle?: GraphBundle;
+    externalAnalyzerResults?: ExternalAnalyzerResults;
+}): FileAnchorSummary;

package/dist/orchestrator/fileAnchors.js

@@ -0,0 +1,217 @@
+const MAX_ANCHORS = 160;
+const KEYWORD_PATTERN = /\b(auth|token|password|secret|permission|role|sql|query|exec|spawn|eval|deserialize|encrypt|decrypt|cache|retry|timeout|transaction|lock|race|TODO|FIXME)\b/i;
+const SYMBOL_PATTERNS = [
+    {
+        kind: "import",
+        pattern: /^\s*import\s+(?:type\s+)?(?:[^"'()]*?\s+from\s+)?["']([^"']+)["']/,
+        label: "import",
+    },
+    {
+        kind: "symbol",
+        pattern: /^\s*(?:export\s+)?(?:async\s+)?function\s+([A-Za-z_$][\w$]*)\b/,
+        label: "function",
+    },
+    {
+        kind: "symbol",
+        pattern: /^\s*(?:export\s+)?class\s+([A-Za-z_$][\w$]*)\b/,
+        label: "class",
+    },
+    {
+        kind: "symbol",
+        pattern: /^\s*(?:export\s+)?interface\s+([A-Za-z_$][\w$]*)\b/,
+        label: "interface",
+    },
+    {
+        kind: "symbol",
+        pattern: /^\s*(?:export\s+)?type\s+([A-Za-z_$][\w$]*)\b/,
+        label: "type",
+    },
+    {
+        kind: "symbol",
+        pattern: /^\s*(?:export\s+)?(?:const|let|var)\s+([A-Za-z_$][\w$]*)\b/,
+        label: "binding",
+    },
+    {
+        kind: "export",
+        pattern: /^\s*export\s+(?:type\s+)?(?:[^"'()]*?\s+from\s+["']([^"']+)["']|(?:default\s+)?(?:async\s+)?(?:function|class|const|let|var|interface|type)\s+([A-Za-z_$][\w$-]*))/,
+        label: "export",
+    },
+    {
+        kind: "symbol",
+        pattern: /^\s*(?:export\s+)?def\s+([A-Za-z_][\w]*)\b/,
+        label: "function",
+    },
+    {
+        kind: "symbol",
+        pattern: /^\s*(?:export\s+)?func\s+(?:\([^)]+\)\s*)?([A-Za-z_][\w]*)\b/,
+        label: "function",
+    },
+    {
+        kind: "symbol",
+        pattern: /^\s*(?:pub\s+)?fn\s+([A-Za-z_][\w]*)\b/,
+        label: "function",
+    },
+    {
+        kind: "route",
+        pattern: /\b(?:app|router|server)\s*\.\s*(get|post|put|patch|delete|use)\s*\(/i,
+        label: "route",
+    },
+    {
+        kind: "route",
+        pattern: /^\s*@(?:Get|Post|Put|Patch|Delete|Route|Controller)\b/,
+        label: "route",
+    },
+];
+function normalizePath(path) {
+    return path.replace(/\\/g, "/").replace(/^\.\//, "");
+}
+function truncate(value, maxLength) {
+    const normalized = value.replace(/\s+/g, " ").trim();
+    return normalized.length > maxLength
+        ? `${normalized.slice(0, maxLength - 3)}...`
+        : normalized;
+}
+function addAnchor(anchors, seen, anchor) {
+    const key = `${anchor.kind}\0${anchor.line ?? ""}\0${anchor.name}\0${anchor.detail ?? ""}`;
+    if (seen.has(key)) {
+        return;
+    }
+    seen.add(key);
+    anchors.push(anchor);
+}
+function collectGraphEdges(graphBundle, path) {
+    if (!graphBundle?.graphs) {
+        return [];
+    }
+    const normalizedPath = normalizePath(path).toLowerCase();
+    const edges = [];
+    for (const key of ["imports", "calls", "references"]) {
+        const raw = graphBundle.graphs[key];
+        if (!Array.isArray(raw)) {
+            continue;
+        }
+        for (const item of raw) {
+            const record = item;
+            if (item &&
+                typeof item === "object" &&
+                !Array.isArray(item) &&
+                typeof record.from === "string" &&
+                typeof record.to === "string") {
+                const from = normalizePath(record.from).toLowerCase();
+                const to = normalizePath(record.to).toLowerCase();
+                if (from === normalizedPath || to === normalizedPath) {
+                    edges.push({
+                        from: record.from,
+                        to: record.to,
+                        kind: typeof record.kind === "string" ? record.kind : key,
+                    });
+                }
+            }
+        }
+    }
+    return edges.sort((a, b) => (a.kind ?? "").localeCompare(b.kind ?? "") ||
+        a.from.localeCompare(b.from) ||
+        a.to.localeCompare(b.to));
+}
+export function buildFileAnchorSummary(params) {
+    const anchors = [];
+    const seen = new Set();
+    const path = normalizePath(params.path);
+    const lines = params.content.split(/\r?\n/);
+    let symbolCount = 0;
+    let routeCount = 0;
+    let keywordCount = 0;
+    addAnchor(anchors, seen, {
+        kind: "boundary",
+        name: "file_start",
+        line: 1,
+        detail: "Start of isolated large-file review boundary.",
+    });
+    if (params.totalLines > 1) {
+        addAnchor(anchors, seen, {
+            kind: "boundary",
+            name: "file_end",
+            line: params.totalLines,
+            detail: "End of isolated large-file review boundary.",
+        });
+    }
+    lines.forEach((line, index) => {
+        const lineNumber = index + 1;
+        for (const { kind, pattern, label } of SYMBOL_PATTERNS) {
+            const match = line.match(pattern);
+            if (!match) {
+                continue;
+            }
+            const name = match.slice(1).find((value) => value && value.trim().length > 0) ?? label;
+            if (kind === "route") {
+                routeCount += 1;
+            }
+            else if (kind === "symbol") {
+                symbolCount += 1;
+            }
+            addAnchor(anchors, seen, {
+                kind,
+                name: truncate(name, 80),
+                line: lineNumber,
+                detail: truncate(`${label}: ${line}`, 180),
+            });
+            break;
+        }
+        if (KEYWORD_PATTERN.test(line)) {
+            keywordCount += 1;
+            addAnchor(anchors, seen, {
+                kind: "keyword",
+                name: truncate(line.match(KEYWORD_PATTERN)?.[1] ?? "keyword", 80),
+                line: lineNumber,
+                detail: truncate(line, 180),
+            });
+        }
+    });
+    const graphEdges = collectGraphEdges(params.graphBundle, path);
+    for (const edge of graphEdges) {
+        addAnchor(anchors, seen, {
+            kind: "graph",
+            name: edge.kind ?? "edge",
+            detail: normalizePath(edge.from).toLowerCase() === path.toLowerCase()
+                ? `outbound: ${edge.to}`
+                : `inbound: ${edge.from}`,
+        });
+    }
+    const analyzerSignals = (params.externalAnalyzerResults?.results ?? [])
+        .filter((result) => normalizePath(result.path).toLowerCase() === path.toLowerCase())
+        .sort((a, b) => (a.line_start ?? 0) - (b.line_start ?? 0) ||
+        a.id.localeCompare(b.id));
+    for (const signal of analyzerSignals) {
+        addAnchor(anchors, seen, {
+            kind: "analyzer_signal",
+            name: truncate(signal.rule ?? signal.category, 80),
+            line: signal.line_start,
+            detail: truncate(signal.summary, 180),
+        });
+    }
+    const sorted = anchors.sort((a, b) => (a.line ?? Number.MAX_SAFE_INTEGER) - (b.line ?? Number.MAX_SAFE_INTEGER) ||
+        a.kind.localeCompare(b.kind) ||
+        a.name.localeCompare(b.name));
+    const boundedAnchors = sorted.slice(0, MAX_ANCHORS);
+    return {
+        contract_version: "audit-code-file-anchors/v1alpha1",
+        path,
+        total_lines: params.totalLines,
+        review_mode: "isolated_large_file",
+        scope_basis: [
+            "single assigned file",
+            "single review packet",
+            "mechanically extracted symbols, routes, graph edges, keywords, and analyzer signals",
+            "backend-owned submit-packet result write path",
+        ],
+        anchors: boundedAnchors,
+        omitted_anchor_count: Math.max(0, sorted.length - boundedAnchors.length),
+        counts: {
+            symbols: symbolCount,
+            routes: routeCount,
+            keywords: keywordCount,
+            graph_edges: graphEdges.length,
+            analyzer_signals: analyzerSignals.length,
+        },
+    };
+}

package/dist/orchestrator/reviewPackets.js

@@ -105,6 +105,16 @@ function chunkPacketTasks(tasks, options) {
     const chunks = [];
     let current = [];
     for (const task of tasks.sort(compareTasksForPacket)) {
+        const isolatedLargeFileTask = task.file_paths.length === 1 &&
+            taskLineCount(task, options.lineIndex) > options.targetPacketLines;
+        if (isolatedLargeFileTask) {
+            if (current.length > 0) {
+                chunks.push(current);
+                current = [];
+            }
+            chunks.push([task]);
+            continue;
+        }
         const candidate = [...current, task];
         const uniquePaths = new Set(candidate.flatMap((item) => item.file_paths));
         const candidateLines = [...uniquePaths].reduce((sum, path) => {

package/dist/providers/claudeCodeProvider.js

@@ -21,7 +21,9 @@ export class ClaudeCodeProvider {
             "-p",
             prompt,
             ...(this.config.extra_args ?? []),
-            "--dangerously-skip-permissions",
+            ...(this.config.dangerously_skip_permissions
+                ? ["--dangerously-skip-permissions"]
+                : []),
         ];
         return await this.launchCommand(command, args, input);
     }

package/dist/providers/index.js

@@ -9,7 +9,8 @@ function hasEntries(values) {
 }
 function hasConfiguredClaudeCode(sessionConfig) {
     return (Boolean(sessionConfig.claude_code?.command?.trim()) ||
-        hasEntries(sessionConfig.claude_code?.extra_args));
+        hasEntries(sessionConfig.claude_code?.extra_args) ||
+        sessionConfig.claude_code?.dangerously_skip_permissions === true);
 }
 function hasConfiguredOpenCode(sessionConfig) {
     return (Boolean(sessionConfig.opencode?.command?.trim()) ||

package/dist/supervisor/operatorHandoff.js

@@ -69,13 +69,7 @@ function buildSuggestedInputs(artifactsDir, status, isConfigError, activeReviewR
         return [];
     }
     if (activeReviewRun) {
-        return [
-            {
-                flag: "--results",
-                suggested_path: activeReviewRun.audit_results_path,
-                description: "Write structured audit-review results for the currently dispatched run, then execute the exact worker command below to ingest them.",
-            },
-        ];
+        return [];
     }
     const incomingDir = join(artifactsDir, INCOMING_DIRNAME);
     return [
@@ -101,12 +95,21 @@ function buildSuggestedInputs(artifactsDir, status, isConfigError, activeReviewR
         },
     ];
 }
-function buildSuggestedCommands(suggestedInputs, status, activeReviewRun) {
+function buildSuggestedCommands(artifactsDir, suggestedInputs, status, activeReviewRun) {
     if (status !== BLOCKED_STATUS) {
         return [];
     }
     if (activeReviewRun) {
-        return [renderShellCommand(activeReviewRun.worker_command)];
+        return [
+            renderShellCommand([
+                "audit-code",
+                "prepare-dispatch",
+                "--run-id",
+                activeReviewRun.run_id,
+                "--artifacts-dir",
+                artifactsDir,
+            ]),
+        ];
     }
     return suggestedInputs.map((item) => `audit-code ${item.flag} ${quoteShellPath(item.suggested_path)}`);
 }
@@ -216,17 +219,25 @@ export function buildAuditCodeHandoff(params) {
         summary: buildSummary(params.state.status, params.providerName ?? null, params.progressSummary),
         pending_obligations: buildPendingObligations(params.state),
         suggested_inputs: suggestedInputs,
-        suggested_commands: buildSuggestedCommands(suggestedInputs, params.state.status, params.activeReviewRun),
+        suggested_commands: buildSuggestedCommands(params.artifactsDir, suggestedInputs, params.state.status, params.activeReviewRun),
         interactive_provider_hint: buildInteractiveProviderHint(params.state.status, params.providerName ?? null, artifactPaths.session_config, isConfigError),
         artifact_paths: artifactPaths,
         active_review_run: params.activeReviewRun,
     };
     // Add quick_start command and file map when blocked for review
     if (params.state.status === BLOCKED_STATUS && params.activeReviewRun) {
-        handoff.quick_start = `audit-code worker-run --task ${params.activeReviewRun.task_path}`;
+        handoff.quick_start = renderShellCommand([
+            "audit-code",
+            "prepare-dispatch",
+            "--run-id",
+            params.activeReviewRun.run_id,
+            "--artifacts-dir",
+            params.artifactsDir,
+        ]);
         handoff.file_map = {
             current_task: artifactPaths.current_task,
             current_prompt: artifactPaths.current_prompt,
+            dispatch_plan: join(params.artifactsDir, "runs", params.activeReviewRun.run_id, "dispatch-plan.json"),
             audit_results: params.activeReviewRun.audit_results_path,
             final_report: join(params.root, "audit-report.md"),
         };

package/dist/types/sessionConfig.d.ts

@@ -10,6 +10,7 @@ export interface SubprocessTemplateConfig {
 export interface ClaudeCodeConfig {
     command?: string;
     extra_args?: string[];
+    dangerously_skip_permissions?: boolean;
 }
 export interface OpenCodeConfig {
     command?: string;

package/dist/validation/auditResults.js

@@ -57,6 +57,20 @@ function validateRequiredStringField(value, label, taskId, resultIndex, issues)
         });
     }
 }
+function validateExpectedStringField(value, label, expected, taskId, resultIndex, issues) {
+    if (typeof value !== "string" || value.trim().length === 0) {
+        return;
+    }
+    if (value !== expected) {
+        pushIssue(issues, {
+            result_index: resultIndex,
+            task_id: taskId,
+            field: label,
+            message: `${label} must match the assigned task metadata ` +
+                `(expected '${expected}', got '${value}').`,
+        });
+    }
+}
 function validateFinding(finding, label, taskId, resultIndex) {
     const issues = [];
     if (!isRecord(finding)) {
@@ -237,6 +251,11 @@ export function validateAuditResults(results, tasks, options = {}) {
                 message: `Invalid lens '${result.lens}'. Must be one of: ${[...VALID_LENSES].join(", ")}.`,
             });
         }
+        if (task) {
+            validateExpectedStringField(result.unit_id, "unit_id", task.unit_id, taskId, i, issues);
+            validateExpectedStringField(result.pass_id, "pass_id", task.pass_id, taskId, i, issues);
+            validateExpectedStringField(result.lens, "lens", task.lens, taskId, i, issues);
+        }
         if (tasks.length > 0 && !task) {
             pushIssue(issues, {
                 result_index: i,
@@ -248,6 +267,7 @@ export function validateAuditResults(results, tasks, options = {}) {
         }
         const fileCoverage = result.file_coverage;
         const normalizedFileCoverage = [];
+        const declaredAssignedCoveragePaths = new Set();
         if (!Array.isArray(fileCoverage) || fileCoverage.length === 0) {
             pushIssue(issues, {
                 result_index: i,
@@ -281,7 +301,6 @@ export function validateAuditResults(results, tasks, options = {}) {
                     pushIssue(issues, {
                         result_index: i,
                         task_id: taskId,
-                        severity: "warning",
                         field: `file_coverage[${j}].path`,
                         message: `file_coverage path '${entry.path}' is not listed in the task file_paths.`,
                     });
@@ -297,6 +316,10 @@ export function validateAuditResults(results, tasks, options = {}) {
                 else {
                     seenCoveragePaths.add(entry.path);
                 }
+                if (isNonEmptyString(entry.path) &&
+                    (!task || task.file_paths.includes(entry.path))) {
+                    declaredAssignedCoveragePaths.add(entry.path);
+                }
                 if (!Number.isInteger(entry.total_lines)) {
                     pushIssue(issues, {
                         result_index: i,
@@ -330,7 +353,8 @@ export function validateAuditResults(results, tasks, options = {}) {
                 }
                 if (isNonEmptyString(entry.path) &&
                     Number.isInteger(entry.total_lines) &&
-                    Number(entry.total_lines) >= 0) {
+                    Number(entry.total_lines) >= 0 &&
+                    (!task || task.file_paths.includes(entry.path))) {
                     normalizedFileCoverage.push({
                         path: entry.path,
                         total_lines: Number(entry.total_lines),
@@ -367,11 +391,35 @@ export function validateAuditResults(results, tasks, options = {}) {
             if (!isRecord(finding) || !Array.isArray(finding.affected_files)) {
                 continue;
             }
+            const expectedFindingLens = task?.lens ??
+                (typeof result.lens === "string" && VALID_LENSES.has(result.lens)
+                    ? result.lens
+                    : undefined);
+            if (expectedFindingLens &&
+                typeof finding.lens === "string" &&
+                finding.lens !== expectedFindingLens) {
+                pushIssue(issues, {
+                    result_index: i,
+                    task_id: taskId,
+                    field: `${label}.lens`,
+                    message: `${label}.lens must match the assigned task lens ` +
+                        `(expected '${expectedFindingLens}', got '${finding.lens}').`,
+                });
+            }
             for (let k = 0; k < finding.affected_files.length; k++) {
                 const affected = finding.affected_files[k];
                 if (!isRecord(affected) || !isNonEmptyString(affected.path)) {
                     continue;
                 }
+                if (!declaredAssignedCoveragePaths.has(affected.path)) {
+                    pushIssue(issues, {
+                        result_index: i,
+                        task_id: taskId,
+                        field: `${label}.affected_files[${k}].path`,
+                        message: `affected_files path '${affected.path}' is not in the declared assigned file_coverage.`,
+                    });
+                    continue;
+                }
                 if (!Number.isInteger(affected.line_start)) {
                     continue;
                 }

package/dist/validation/sessionConfig.js

@@ -74,6 +74,11 @@ function validateAgentProviderSection(value, path, issues) {
     if (value.extra_args !== undefined) {
         validateStringArray(value.extra_args, `${path}.extra_args`, "extra_args", issues, { allowEmptyArray: true });
     }
+    if (path === "claude_code" &&
+        value.dangerously_skip_permissions !== undefined &&
+        typeof value.dangerously_skip_permissions !== "boolean") {
+        pushIssue(issues, `${path}.dangerously_skip_permissions`, "dangerously_skip_permissions must be a boolean when provided.");
+    }
 }
 function commandExists(command) {
     const lookupCommand = process.platform === "win32" ? "where" : "which";

package/docs/agent-integrations.md

@@ -254,7 +254,7 @@ The current implementation shipped the shared installer and MCP substrate. The r
 
 Highest-value follow-through:
 
-1. validate the generated Codex, Claude Desktop, OpenCode, and VS Code assets inside the real products they target
+1. validate the generated Codex, Claude Desktop, OpenCode, VS Code, and Antigravity assets inside the real products they target
 2. tighten generated quick-start guidance anywhere those host smoke tests expose ambiguity
 3. document exactly how Antigravity artifacts should map into `import_results` and `import_runtime_updates`
 4. keep host claims conservative until those end-to-end product checks are complete
@@ -277,4 +277,7 @@ For a polished operator experience today:
 4. prefer `local-subprocess` unless you explicitly want a backend provider bridge
 5. use `subprocess-template` only when integrating a non-native editor or launcher surface
 
-If you intentionally want the backend fallback to bridge semantic review into another process, re-run with an explicit `--provider` flag after configuring the matching section in `.audit-artifacts/session-config.json`.
+If you intentionally want the backend fallback to bridge semantic review into
+another process, set the matching provider in
+`.audit-artifacts/session-config.json` or re-run with an explicit `--provider`
+flag after configuring the matching provider section.

package/docs/bootstrap-install.md

@@ -10,6 +10,9 @@ That command installs the repo-local `/audit-code` surfaces we can automate toda
 It is also the single refresh path: rerun `audit-code install` after prompt or
 skill updates to rewrite the shared install assets and every generated
 host-specific surface from the same source files.
+The generated manifest records the canonical prompt and skill source paths so
+host surfaces can be checked against one shared source of truth instead of
+drifting independently.
 
 After bootstrap, run:
 
@@ -28,6 +31,7 @@ Installed shared surfaces:
 - `.audit-code/install/GETTING-STARTED.md`
 - `.audit-code/install/manifest.json`
 - `.audit-code/install/run-mcp-server.mjs`
+- `.audit-artifacts/session-config.json` when no backend fallback config exists yet
 
 Installed host-specific surfaces:
 
@@ -76,6 +80,7 @@ without supplying extra root paths, provider flags, or model-selection arguments
 ## What is fully automated today
 
 - shared installer output, manifest generation, and repo-local MCP launcher generation
+- default backend fallback session-config creation when no config exists yet
 - Codex skill-bundle and AGENTS-oriented install output
 - OpenCode command, skill, prompt, and config generation
 - VS Code prompt, custom-agent, instruction, and MCP config generation
@@ -84,7 +89,7 @@ without supplying extra root paths, provider flags, or model-selection arguments
 
 ## What is not fully automated today
 
-- product-level smoke validation for the generated Codex, Claude Desktop, OpenCode, and VS Code assets
+- product-level smoke validation for the generated Codex, Claude Desktop, OpenCode, VS Code, and Antigravity assets
 - one-click proof that the generated Claude Desktop bundle installs cleanly in a real Desktop environment
 - documented Antigravity artifact round-tripping back through `import_results` and `import_runtime_updates`
 

package/docs/contract.md

@@ -25,7 +25,10 @@ Workers submit `AuditResult[]` shaped by `schemas/audit_result.schema.json`.
 Important rules:
 
 - `file_coverage` is required and must include every assigned file.
+- `file_coverage` must not include files outside the assigned task.
 - `file_coverage[].total_lines` must match the current file line count.
+- `task_id`, `unit_id`, `pass_id`, and `lens` must match the assigned task.
+- each finding lens must match the assigned task lens.
 - `findings[].affected_files` must be objects, not strings.
 - `findings[].evidence` must be an array of plain strings.