auditor-lambda 0.3.40 → 0.3.41

package/dist/cli/dispatch.js

@@ -0,0 +1,528 @@
+import { mkdir, readFile, writeFile } from "node:fs/promises";
+import { existsSync } from "node:fs";
+import { isAbsolute, join, relative, resolve } from "node:path";
+import { isFileMissingError, readJsonFile, writeJsonFile } from "@audit-tools/shared";
+import { loadArtifactBundle } from "../io/artifacts.js";
+import { orderTasksForPacketReview, buildReviewPackets } from "../orchestrator/reviewPackets.js";
+import { buildFileAnchorSummary } from "../orchestrator/fileAnchors.js";
+import { resolveFreshSessionProviderName } from "../providers/index.js";
+import { loadSessionConfig } from "../supervisor/sessionConfig.js";
+import { scheduleWave, buildProviderModelKey, readQuotaState, resolveHostActiveSubagentLimit, lookupDiscoveredLimits, } from "../quota/index.js";
+import { taskResultPath, packetPromptPath, artifactNameForId, toBase64Url, fromBase64Url, getFlag, } from "./args.js";
+export const LARGE_FILE_PACKET_TARGET_LINES = 2500;
+export const SMALL_MODEL_HINT_MAX_LINES = 500;
+export const SMALL_MODEL_HINT_MAX_ESTIMATED_TOKENS = 3000;
+export const DEEP_MODEL_HINT_MIN_ESTIMATED_TOKENS = 9000;
+export const DISPATCH_RESULT_MAP_FILENAME = "dispatch-result-map.json";
+export const ACTIVE_DISPATCH_FILENAME = "active-dispatch.json";
+export function dispatchResultMapPath(runDir) {
+    return join(runDir, DISPATCH_RESULT_MAP_FILENAME);
+}
+export function resolveRunScopedArg(argv, rawFlag, b64Flag) {
+    const raw = getFlag(argv, rawFlag);
+    const encoded = getFlag(argv, b64Flag);
+    return raw ?? (encoded ? fromBase64Url(encoded) : undefined);
+}
+export async function loadDispatchResultMap(runDir) {
+    try {
+        return await readJsonFile(dispatchResultMapPath(runDir));
+    }
+    catch (error) {
+        if (!isFileMissingError(error)) {
+            throw error;
+        }
+        return null;
+    }
+}
+export function entriesByTaskId(entries) {
+    return new Map(entries.map((entry) => [entry.task_id, entry]));
+}
+export function isIsolatedLargeFilePacket(packet) {
+    return (packet.file_paths.length === 1 &&
+        packet.total_lines > LARGE_FILE_PACKET_TARGET_LINES);
+}
+export function buildDispatchComplexity(packet, largeFileMode) {
+    return {
+        priority: packet.priority,
+        task_count: packet.task_ids.length,
+        file_count: packet.file_paths.length,
+        total_lines: packet.total_lines,
+        estimated_tokens: packet.estimated_tokens,
+        lenses: packet.lenses,
+        tags: packet.tags ?? [],
+        large_file_mode: largeFileMode,
+    };
+}
+export function buildDispatchModelHint(complexity) {
+    const deepReasons = [];
+    if (complexity.priority === "high")
+        deepReasons.push("high_priority");
+    if (complexity.large_file_mode)
+        deepReasons.push("isolated_large_file");
+    if (complexity.estimated_tokens >= DEEP_MODEL_HINT_MIN_ESTIMATED_TOKENS) {
+        deepReasons.push("high_estimated_tokens");
+    }
+    if (complexity.tags.some((tag) => tag === "critical_flow" || tag.startsWith("critical_flow:"))) {
+        deepReasons.push("critical_flow");
+    }
+    if (complexity.tags.some((tag) => tag === "external_analyzer_signal" || tag.startsWith("external_tool:"))) {
+        deepReasons.push("external_analyzer_signal");
+    }
+    if (complexity.tags.includes("lens_verification")) {
+        deepReasons.push("lens_verification");
+    }
+    if (deepReasons.length > 0) {
+        return { tier: "deep", reasons: deepReasons };
+    }
+    const sensitiveLenses = new Set(["security", "data_integrity", "reliability"]);
+    const hasSensitiveLens = complexity.lenses.some((lens) => sensitiveLenses.has(lens));
+    if (complexity.priority === "low" &&
+        complexity.total_lines <= SMALL_MODEL_HINT_MAX_LINES &&
+        complexity.estimated_tokens <= SMALL_MODEL_HINT_MAX_ESTIMATED_TOKENS &&
+        !hasSensitiveLens &&
+        complexity.tags.length === 0) {
+        return { tier: "small", reasons: ["small_low_priority_packet"] };
+    }
+    const reasons = [];
+    if (complexity.priority === "medium")
+        reasons.push("medium_priority");
+    if (hasSensitiveLens)
+        reasons.push("sensitive_lens");
+    if (complexity.total_lines > SMALL_MODEL_HINT_MAX_LINES) {
+        reasons.push("moderate_size");
+    }
+    return {
+        tier: "standard",
+        reasons: reasons.length > 0 ? reasons : ["default_review_packet"],
+    };
+}
+export function withinRoot(root, path) {
+    const rootPath = resolve(root);
+    const absolutePath = resolve(rootPath, path);
+    const relativePath = relative(rootPath, absolutePath);
+    if (relativePath.startsWith("..") || isAbsolute(relativePath)) {
+        throw new Error(`Path '${path}' escapes repository root '${rootPath}'.`);
+    }
+    return absolutePath;
+}
+function renderAnchorPreview(summary, anchorPath) {
+    const preview = summary.anchors.slice(0, 24).map((anchor) => {
+        const location = anchor.line ? `${summary.path}:${anchor.line}` : summary.path;
+        const detail = anchor.detail ? ` - ${anchor.detail}` : "";
+        return `- ${location} [${anchor.kind}] ${anchor.name}${detail}`;
+    });
+    return [
+        "## Large File Review Mode",
+        "This packet is intentionally isolated because it covers one large file.",
+        "Use targeted reads/searches within this file, guided by the mechanical anchors.",
+        "Do not read unrelated files unless a finding cannot be evidenced without a direct boundary check.",
+        `Anchor file: ${anchorPath}`,
+        `Anchor counts: symbols=${summary.counts.symbols}, routes=${summary.counts.routes}, keywords=${summary.counts.keywords}, graph_edges=${summary.counts.graph_edges}, analyzer_signals=${summary.counts.analyzer_signals}, omitted=${summary.omitted_anchor_count}`,
+        "Anchor preview:",
+        ...(preview.length > 0 ? preview : ["- no anchors extracted beyond file boundaries"]),
+        "",
+    ];
+}
+function formatPacketConfidence(value) {
+    return typeof value === "number" && Number.isFinite(value)
+        ? value.toFixed(2)
+        : "n/a";
+}
+function renderPacketGraphContext(packet) {
+    const hasContext = (packet.entrypoints?.length ?? 0) > 0 ||
+        (packet.key_edges?.length ?? 0) > 0 ||
+        (packet.boundary_files?.length ?? 0) > 0 ||
+        packet.quality !== undefined;
+    if (!hasContext) {
+        return [];
+    }
+    const lines = ["## Packet graph context"];
+    if (packet.entrypoints?.length) {
+        lines.push("Entrypoints:");
+        lines.push(...packet.entrypoints.map((entrypoint) => `- ${entrypoint}`));
+    }
+    if (packet.key_edges?.length) {
+        lines.push("Key internal edges:");
+        lines.push(...packet.key_edges.map((edge) => {
+            const kind = edge.kind ? ` [${edge.kind}]` : "";
+            const reason = edge.reason ? ` - ${edge.reason}` : "";
+            return `- ${edge.from} -> ${edge.to}${kind} confidence=${formatPacketConfidence(edge.confidence)}${reason}`;
+        }));
+    }
+    if (packet.boundary_files?.length) {
+        lines.push("Boundary files to check only when evidence crosses the packet:");
+        lines.push(...packet.boundary_files.map((path) => `- ${path}`));
+    }
+    if (packet.quality) {
+        lines.push(`Quality: cohesion=${packet.quality.cohesion_score}, internal_edges=${packet.quality.internal_edge_count}, boundary_edges=${packet.quality.boundary_edge_count}, unexplained_files=${packet.quality.unexplained_file_count}`);
+    }
+    lines.push("");
+    return lines;
+}
+export function buildPendingAuditTasks(bundle) {
+    const completedTaskIds = new Set((bundle.audit_results ?? []).map((result) => result.task_id));
+    const pendingTasks = (bundle.audit_tasks ?? []).filter((task) => task.status !== "complete" && !completedTaskIds.has(task.task_id));
+    const lineIndex = Object.fromEntries(pendingTasks.flatMap((task) => Object.entries(task.file_line_counts ?? {})));
+    return orderTasksForPacketReview(pendingTasks, {
+        graphBundle: bundle.graph_bundle,
+        lineIndex,
+    });
+}
+export async function prepareDispatchArtifacts(params) {
+    const runId = params.runId;
+    const artifactsDir = params.artifactsDir;
+    const runDir = join(artifactsDir, "runs", runId);
+    const taskResultsDir = join(runDir, "task-results");
+    const dispatchPlanPath = join(runDir, "dispatch-plan.json");
+    let reviewRoot = params.root;
+    try {
+        const workerTask = await readJsonFile(join(runDir, "task.json"));
+        reviewRoot ??= workerTask.repo_root;
+    }
+    catch (error) {
+        if (!isFileMissingError(error)) {
+            throw error;
+        }
+    }
+    const bundle = await loadArtifactBundle(artifactsDir);
+    const tasksPath = join(runDir, "pending-audit-tasks.json");
+    const tasks = await readJsonFile(tasksPath).catch((error) => {
+        if (isFileMissingError(error))
+            return buildPendingAuditTasks(bundle);
+        throw error;
+    });
+    const sessionConfig = params.sessionConfig ?? (await loadSessionConfig(artifactsDir).catch(() => ({})));
+    const lensDefsPath = join(params.packageRoot, "dispatch", "lens-definitions.json");
+    const lensDefs = await readJsonFile(lensDefsPath);
+    await mkdir(taskResultsDir, { recursive: true });
+    const priorResultTaskIds = new Set();
+    for (const task of tasks) {
+        if (existsSync(taskResultPath(taskResultsDir, task.task_id))) {
+            priorResultTaskIds.add(task.task_id);
+        }
+    }
+    const dispatchTasks = priorResultTaskIds.size > 0
+        ? tasks.filter((task) => !priorResultTaskIds.has(task.task_id))
+        : tasks;
+    const lineIndex = Object.fromEntries(dispatchTasks.flatMap((task) => Object.entries(task.file_line_counts ?? {})));
+    const orderedTasks = orderTasksForPacketReview(dispatchTasks, {
+        graphBundle: bundle.graph_bundle,
+        lineIndex,
+    });
+    const packets = buildReviewPackets(orderedTasks, {
+        graphBundle: bundle.graph_bundle,
+        lineIndex,
+    });
+    const tasksById = new Map(orderedTasks.map((task) => [task.task_id, task]));
+    const resultPathByTaskId = new Map(orderedTasks.map((task) => [
+        task.task_id,
+        taskResultPath(taskResultsDir, task.task_id),
+    ]));
+    const resultPathSet = new Set(resultPathByTaskId.values());
+    if (resultPathSet.size !== resultPathByTaskId.size) {
+        throw new Error("prepare-dispatch generated duplicate result paths; task ids must be uniquely addressable.");
+    }
+    const plan = [];
+    const resultMapEntries = [];
+    for (const task of tasks) {
+        if (priorResultTaskIds.has(task.task_id)) {
+            resultMapEntries.push({
+                packet_id: "__prior_dispatch__",
+                task_id: task.task_id,
+                result_path: taskResultPath(taskResultsDir, task.task_id),
+            });
+        }
+    }
+    let largestPacketId = null;
+    let largestLines = 0;
+    let largestEstimatedTokens = 0;
+    const warnings = [];
+    for (const packet of packets) {
+        const promptPath = packetPromptPath(taskResultsDir, packet.packet_id);
+        const packetTasks = packet.task_ids
+            .map((taskId) => tasksById.get(taskId))
+            .filter((task) => task !== undefined);
+        if (packet.total_lines > largestLines) {
+            largestLines = packet.total_lines;
+            largestEstimatedTokens = packet.estimated_tokens;
+            largestPacketId = packet.packet_id;
+        }
+        const largeFileMode = isIsolatedLargeFilePacket(packet);
+        if (packet.total_lines > LARGE_FILE_PACKET_TARGET_LINES && !largeFileMode) {
+            warnings.push({
+                code: "large_packet",
+                message: `large packet ${packet.packet_id} (~${packet.total_lines} lines) may hit quota limits`,
+            });
+        }
+        for (const task of packetTasks) {
+            if (!lensDefs[task.lens]) {
+                warnings.push({
+                    code: "missing_lens_definition",
+                    message: `no lens definition for '${task.lens}' (task ${task.task_id})`,
+                });
+            }
+        }
+        const fileList = packet.file_paths.map((path) => {
+            const lines = packet.file_line_counts[path] ?? 0;
+            return `- ${path} (${lines} lines)`;
+        }).join("\n");
+        let anchorPath = null;
+        let anchorSummary = null;
+        if (largeFileMode) {
+            const filePath = packet.file_paths[0];
+            if (!reviewRoot) {
+                warnings.push({
+                    code: "large_file_anchor_unavailable",
+                    message: `large single-file packet ${packet.packet_id} has no repo root available for anchor extraction`,
+                });
+            }
+            else {
+                try {
+                    const totalLines = packet.file_line_counts[filePath] ?? packet.total_lines;
+                    const content = await readFile(withinRoot(reviewRoot, filePath), "utf8");
+                    anchorSummary = buildFileAnchorSummary({
+                        path: filePath,
+                        content,
+                        totalLines,
+                        graphBundle: bundle.graph_bundle,
+                        externalAnalyzerResults: bundle.external_analyzer_results,
+                    });
+                    anchorPath = join(taskResultsDir, artifactNameForId(packet.packet_id, "anchors.json"));
+                    await writeJsonFile(anchorPath, anchorSummary);
+                }
+                catch (error) {
+                    warnings.push({
+                        code: "large_file_anchor_failed",
+                        message: `large single-file packet ${packet.packet_id} could not be anchored mechanically: ` +
+                            (error instanceof Error ? error.message : String(error)),
+                    });
+                }
+            }
+        }
+        const largeFileSection = anchorSummary && anchorPath
+            ? renderAnchorPreview(anchorSummary, anchorPath)
+            : largeFileMode
+                ? [
+                    "## Large File Review Mode",
+                    "This packet is intentionally isolated because it covers one large file.",
+                    "Use targeted reads/searches within this file only.",
+                    "No mechanical anchor file was available, so rely on targeted symbol and keyword searches before reading broad ranges.",
+                    "",
+                ]
+                : [];
+        const taskSections = packetTasks.flatMap((task) => {
+            const lensDef = lensDefs[task.lens];
+            const inputLines = task.inputs
+                ? Object.entries(task.inputs)
+                    .sort(([a], [b]) => a.localeCompare(b))
+                    .map(([key, value]) => `input.${key}: ${value}`)
+                : [];
+            const isLensVerification = task.tags?.includes("lens_verification") ?? false;
+            const coverageTemplate = task.file_paths.map((path) => ({
+                path,
+                total_lines: task.file_line_counts?.[path] ?? lineIndex[path] ?? 0,
+            }));
+            return [
+                `### ${task.task_id}`,
+                `unit_id: ${task.unit_id}`,
+                `pass_id: ${task.pass_id}`,
+                `lens: ${task.lens}`,
+                ...(task.tags?.length ? [`tags: ${task.tags.join(", ")}`] : []),
+                ...inputLines,
+                `rationale: ${task.rationale}`,
+                "",
+                `Lens guidance: ${lensDef?.description ?? task.lens}`,
+                `Do NOT report: ${lensDef?.do_not_report ?? "N/A"}`,
+                ...(isLensVerification
+                    ? [
+                        "",
+                        "Lens verification mode: review the prior result summary in the rationale and use only targeted source checks.",
+                        "Do not redo every packet and do not write direct findings for this task.",
+                        "Return findings: [] plus verification metadata. Include followup_tasks only for bounded, specific re-review packets.",
+                    ]
+                    : []),
+                "",
+                "file_coverage (copy exactly into your AuditResult for this task):",
+                "```json",
+                JSON.stringify(coverageTemplate),
+                "```",
+                "",
+            ];
+        });
+        const submitCommand = `"${process.execPath}" "${join(params.packageRoot, "audit-code.mjs")}" submit-packet ` +
+            `--run-id-b64 ${toBase64Url(runId)} ` +
+            `--packet-id-b64 ${toBase64Url(packet.packet_id)} ` +
+            `--artifacts-dir-b64 ${toBase64Url(artifactsDir)}`;
+        const complexity = buildDispatchComplexity(packet, largeFileMode);
+        for (const task of packetTasks) {
+            resultMapEntries.push({
+                packet_id: packet.packet_id,
+                task_id: task.task_id,
+                result_path: resultPathByTaskId.get(task.task_id),
+            });
+        }
+        const prompt = [
+            "You are a code auditor. Review this packet once, then submit exactly one result per listed task.",
+            "",
+            "## Packet",
+            `packet_id: ${packet.packet_id}`,
+            `task_count: ${packet.task_ids.length}`,
+            `lenses: ${packet.lenses.join(", ")}`,
+            `estimated_tokens: ${packet.estimated_tokens}`,
+            "",
+            "## Files to read",
+            largeFileMode
+                ? "Use targeted Read/Grep calls. Paths are repo-relative from the current working directory."
+                : "Use your Read tool. Paths are repo-relative from the current working directory.",
+            "Use host Read and Grep tools for source inspection. Do not use shell search commands.",
+            fileList,
+            "",
+            ...renderPacketGraphContext(packet),
+            ...largeFileSection,
+            "## Tasks",
+            ...taskSections,
+            "## Output",
+            "Do not write files directly. Do not use a Write tool, create temp files, edit source files,",
+            "remediate findings, create extra task results, or run unrelated audits.",
+            "Produce one JSON array containing exactly one AuditResult object for each listed task.",
+            "",
+            "Required AuditResult fields:",
+            "  task_id       copy from the task metadata",
+            "  unit_id       copy from the task metadata",
+            "  pass_id       copy from the task metadata",
+            "  lens          copy from the task metadata",
+            "  file_coverage [{path, total_lines}] - copy the exact template from each task section above",
+            "  findings      [] or array of finding objects",
+            "",
+            "Lens verification tasks:",
+            "  tasks tagged lens_verification must use findings: [] and include verification:",
+            "  {verified: boolean, needs_followup: boolean, concerns?: string[],",
+            "   coverage_concerns?: string[], confidence_concerns?: string[],",
+            "   followup_tasks?: AuditTask[]}.",
+            "  Follow-up AuditTask suggestions must stay bounded to files in this packet and use the same lens.",
+            "",
+            "Each finding object:",
+            "  id            unique ID, e.g. \"COR-001\"",
+            "  title         short title",
+            "  category      specific finding category, such as missing-validation or command-execution",
+            "  severity      critical|high|medium|low|info",
+            "  confidence    high|medium|low",
+            "  lens          must match the task lens exactly",
+            "  summary       1-2 sentence description",
+            "  affected_files  [{path, line_start?, line_end?, symbol?}] - objects, not strings; min 1 entry",
+            "  evidence     [\"path/to/file.ts:42 - description of what you see there\"] - min 1 entry",
+            "",
+            "Constraints:",
+            "1. line_end must not exceed the file's actual line count.",
+            "2. affected_files entries are objects with a path key, not plain strings.",
+            "3. Only reference files from the packet unless a finding genuinely crosses a boundary.",
+            "4. findings: [] is correct when you find nothing genuine.",
+            "",
+            "## Submit",
+            "Pipe the JSON array on stdin to this command:",
+            `  ${submitCommand}`,
+            "",
+            "The command validates and writes the packet-owned result files. Exit 0 means accepted.",
+            "Non-zero: read the errors, fix the JSON, and run the same submit command again. Retry up to 3 times.",
+            "",
+            "## Final response",
+            `After the submit command succeeds, reply exactly: valid: ${packet.packet_id}, findings=<total finding count>`,
+        ].join("\n");
+        await writeFile(promptPath, prompt, "utf8");
+        plan.push({
+            packet_id: packet.packet_id,
+            description: `Audit ${packet.file_paths.length} file(s), ${packet.task_ids.length} task(s), ${packet.lenses.length} lens(es) (~${packet.total_lines} lines)` +
+                (largeFileMode ? " [isolated large-file mode]" : ""),
+            prompt_path: promptPath,
+            complexity,
+            model_hint: buildDispatchModelHint(complexity),
+        });
+    }
+    await writeJsonFile(dispatchPlanPath, plan);
+    await writeJsonFile(dispatchResultMapPath(runDir), {
+        contract_version: "audit-code-dispatch-results/v1alpha1",
+        run_id: runId,
+        entries: resultMapEntries,
+    });
+    const hostModel = params.hostModel ?? null;
+    const perPacketTokens = plan.map((p) => p.complexity.estimated_tokens);
+    const quotaProviderName = resolveFreshSessionProviderName(undefined, sessionConfig);
+    const quotaProviderKey = buildProviderModelKey(quotaProviderName, hostModel);
+    const quotaState = await readQuotaState().catch(() => ({ version: 2, entries: {} }));
+    const quotaStateEntry = quotaState.entries[quotaProviderKey] ?? null;
+    const hostConcurrencyLimit = resolveHostActiveSubagentLimit({
+        explicitLimit: params.hostActiveSubagentLimit,
+        sessionConfig,
+    });
+    const dispatchCachedLimits = await lookupDiscoveredLimits(quotaProviderKey).catch(() => null);
+    const waveSchedule = scheduleWave({
+        providerName: quotaProviderName,
+        sessionConfig,
+        hostModel,
+        requestedConcurrency: sessionConfig.parallel_workers ?? plan.length,
+        estimatedSlotTokens: perPacketTokens,
+        quotaStateEntry,
+        hostConcurrencyLimit,
+        discoveredLimits: dispatchCachedLimits,
+    });
+    const dispatchQuota = {
+        contract_version: "audit-code-dispatch-quota/v1alpha2",
+        run_id: runId,
+        model: hostModel,
+        resolved_limits: waveSchedule.resolved_limits,
+        confidence: waveSchedule.confidence,
+        source: waveSchedule.source,
+        host_concurrency_limit: waveSchedule.host_concurrency_limit,
+        wave_size: waveSchedule.wave_size,
+        estimated_wave_tokens: waveSchedule.estimated_wave_tokens,
+        cooldown_until: waveSchedule.cooldown_until,
+        quota_source_snapshot: waveSchedule.quota_source_snapshot ?? null,
+        backoff_state: null,
+    };
+    const dispatchQuotaPath = join(runDir, "dispatch-quota.json");
+    await writeJsonFile(dispatchQuotaPath, dispatchQuota);
+    if (waveSchedule.confidence !== "low") {
+        const contextBudget = waveSchedule.resolved_limits.context_tokens - waveSchedule.resolved_limits.output_tokens;
+        for (const p of plan) {
+            if (p.complexity.estimated_tokens > contextBudget) {
+                warnings.push({
+                    code: "oversized_packet",
+                    message: `Packet ${p.packet_id} estimated tokens (${p.complexity.estimated_tokens}) exceed ` +
+                        `context budget (${contextBudget}). This packet may fail at dispatch. ` +
+                        `Set quota.default_context_tokens or quota.models in session-config.json to override.`,
+                });
+            }
+        }
+    }
+    const warningsPath = warnings.length > 0
+        ? join(runDir, "dispatch-warnings.json")
+        : null;
+    if (warningsPath) {
+        await writeJsonFile(warningsPath, warnings);
+    }
+    const activeDispatch = {
+        run_id: runId,
+        created_at: new Date().toISOString(),
+        packet_count: plan.length,
+        task_count: orderedTasks.length,
+        status: "active",
+    };
+    await writeJsonFile(join(artifactsDir, ACTIVE_DISPATCH_FILENAME), activeDispatch);
+    return {
+        run_id: runId,
+        dispatch_plan_path: dispatchPlanPath,
+        dispatch_quota_path: dispatchQuotaPath,
+        packet_count: plan.length,
+        task_count: orderedTasks.length,
+        skipped_task_count: priorResultTaskIds.size,
+        largest_packet: largestPacketId
+            ? {
+                packet_id: largestPacketId,
+                total_lines: largestLines,
+                estimated_tokens: largestEstimatedTokens,
+            }
+            : null,
+        warning_count: warnings.length,
+        dispatch_warnings_path: warningsPath,
+    };
+}

package/dist/cli/prompts.d.ts

@@ -0,0 +1,18 @@
+import type { ActiveReviewRun } from "../supervisor/operatorHandoff.js";
+export declare function nextStepCommand(root: string, artifactsDir: string): string;
+export declare function mergeAndIngestCommand(artifactsDir: string, runId: string): string;
+export declare function renderDispatchReviewPrompt(params: {
+    root: string;
+    artifactsDir: string;
+    activeReviewRun: ActiveReviewRun;
+    dispatchPlanPath: string;
+    dispatchQuotaPath: string | null;
+    hostCanRestrictSubagentTools: boolean;
+    hostCanSelectSubagentModel: boolean;
+}): string;
+export declare function renderSingleTaskFallbackStepPrompt(params: {
+    singleTaskPromptPath: string;
+    activeReviewRun: ActiveReviewRun;
+}): string;
+export declare function renderPresentReportPrompt(finalReportPath: string): string;
+export declare function renderBlockedStepPrompt(reason: string): string;

package/dist/cli/prompts.js

@@ -0,0 +1,130 @@
+import { renderCommand } from "./args.js";
+export function nextStepCommand(root, artifactsDir) {
+    return renderCommand([
+        "audit-code",
+        "next-step",
+        "--root",
+        root,
+        "--artifacts-dir",
+        artifactsDir,
+    ]);
+}
+export function mergeAndIngestCommand(artifactsDir, runId) {
+    return renderCommand([
+        "audit-code",
+        "merge-and-ingest",
+        "--artifacts-dir",
+        artifactsDir,
+        "--run-id",
+        runId,
+    ]);
+}
+export function renderDispatchReviewPrompt(params) {
+    const mergeCommand = mergeAndIngestCommand(params.artifactsDir, params.activeReviewRun.run_id);
+    const continueCommand = nextStepCommand(params.root, params.artifactsDir);
+    const modelLine = params.hostCanSelectSubagentModel
+        ? "When launching each subagent, map `entry.model_hint.tier` (`small`, `standard`, `deep`) to an available host model without asking the user for model names."
+        : "Ignore `entry.model_hint`; this host did not report per-subagent model selection.";
+    const toolsLine = params.hostCanRestrictSubagentTools
+        ? "Restrict review subagents to read/search plus the packet submit command named in their prompt. Do not give them source edit/write tools."
+        : "Do not ask the user about per-subagent tool restrictions; this host did not report a callable restriction facility.";
+    const dispatchDataLines = params.dispatchQuotaPath
+        ? [
+            "Read these generated files:",
+            "",
+            `  Dispatch plan:  ${params.dispatchPlanPath}`,
+            `  Dispatch quota: ${params.dispatchQuotaPath}`,
+            "",
+            "Use the `wave_size` from the quota data. If `cooldown_until` is non-null, wait until that timestamp before starting the first wave.",
+            "",
+            "`host_concurrency_limit` records any detected hard host cap that contributed to `wave_size`.",
+            "",
+            "For each wave: use the `task` tool (or equivalent subagent dispatch) to launch up to `wave_size` subagents in parallel (one per entry), wait for all to finish, then start the next wave.",
+        ]
+        : [
+            "Read this generated dispatch plan:",
+            "",
+            `  ${params.dispatchPlanPath}`,
+            "",
+            "Launch one subagent for each entry in the plan.",
+        ];
+    return [
+        "# audit-code dispatch review",
+        "",
+        ...dispatchDataLines,
+        "",
+        "Pass each `entry.prompt_path` literally to its subagent; do not load packet prompt files into this orchestrator context.",
+        "",
+        "Subagent prompt shape:",
+        "",
+        '  Read and follow the audit instructions in: <entry.prompt_path>',
+        "",
+        modelLine,
+        toolsLine,
+        "",
+        "Each subagent must submit its packet through the submit command printed in its packet prompt and stop after successful submission.",
+        "",
+        "**File access pre-approval:** Each dispatch plan entry includes an `access` object with `read_paths` and `write_paths`. If your host supports per-subagent file access restrictions, pre-approve those paths before launching each subagent. Workers should not access files outside their declared paths.",
+        "",
+        "**After all waves complete:**",
+        "",
+        "Run exactly:",
+        "",
+        `  ${mergeCommand}`,
+        "",
+        "If merge-and-ingest fails, stop and report the exact command and error output. Do not manually merge results or edit audit state.",
+        "",
+        "If merge-and-ingest succeeds, run:",
+        "",
+        `  ${continueCommand}`,
+        "",
+        "Read and follow only the new step prompt path returned by that command.",
+        "",
+    ].join("\n");
+}
+export function renderSingleTaskFallbackStepPrompt(params) {
+    return [
+        "# audit-code single-task fallback step",
+        "",
+        "Use this step only because the host reported no callable subagent facility.",
+        "",
+        "Read and follow exactly this generated single-task prompt:",
+        "",
+        `  ${params.singleTaskPromptPath}`,
+        "",
+        "Complete exactly one AuditResult for the task named there, write the JSON array to the prompt's audit_results_path, run the exact worker_command from that prompt, then stop.",
+        "",
+        "Do not run dispatch commands, do not prepare packets, do not run next-step again in this turn, and do not read a report after the worker command.",
+        "",
+        "The only backend command allowed after writing the result is:",
+        "",
+        `  ${renderCommand(params.activeReviewRun.worker_command)}`,
+        "",
+    ].join("\n");
+}
+export function renderPresentReportPrompt(finalReportPath) {
+    return [
+        "# audit-code present report",
+        "",
+        "The deterministic audit is complete.",
+        "",
+        `Read the final audit report from: ${finalReportPath}`,
+        "",
+        "Present the completed audit with work blocks first.",
+        "",
+        "Do not run the orchestrator again for this completed audit.",
+        "",
+    ].join("\n");
+}
+export function renderBlockedStepPrompt(reason) {
+    return [
+        "# audit-code blocked",
+        "",
+        "The audit cannot continue automatically from this step.",
+        "",
+        "Report this blocker verbatim and stop:",
+        "",
+        reason,
+        "",
+    ].join("\n");
+}