auditor-lambda 0.3.40 → 0.3.41

package/dist/extractors/graphPythonImports.js

@@ -0,0 +1,326 @@
+import { posix } from "node:path";
+import { graphEdge, normalizeGraphPath, resolveCandidate, } from "./graphPathUtils.js";
+const PYTHON_SOURCE_EXTENSIONS = [".py", ".pyi"];
+const PYTHON_PACKAGE_INDEX_FILES = ["__init__.py", "__init__.pyi"];
+const IMPORT_EDGE_CONFIDENCE = 0.95;
+export function isPythonSourcePath(path) {
+    const normalized = normalizeGraphPath(path).toLowerCase();
+    return PYTHON_SOURCE_EXTENSIONS.some((extension) => normalized.endsWith(extension));
+}
+function stripPythonLineComment(line) {
+    let quote;
+    let escaped = false;
+    for (let index = 0; index < line.length; index++) {
+        const char = line[index];
+        if (escaped) {
+            escaped = false;
+            continue;
+        }
+        if (quote) {
+            if (char === "\\") {
+                escaped = true;
+                continue;
+            }
+            if (char === quote) {
+                quote = undefined;
+            }
+            continue;
+        }
+        if (char === "'" || char === '"') {
+            quote = char;
+            continue;
+        }
+        if (char === "#") {
+            return line.slice(0, index);
+        }
+    }
+    return line;
+}
+function pythonParenDelta(line) {
+    let quote;
+    let escaped = false;
+    let delta = 0;
+    for (const char of line) {
+        if (escaped) {
+            escaped = false;
+            continue;
+        }
+        if (quote) {
+            if (char === "\\") {
+                escaped = true;
+                continue;
+            }
+            if (char === quote) {
+                quote = undefined;
+            }
+            continue;
+        }
+        if (char === "'" || char === '"') {
+            quote = char;
+            continue;
+        }
+        if (char === "(") {
+            delta += 1;
+        }
+        else if (char === ")") {
+            delta -= 1;
+        }
+    }
+    return delta;
+}
+function pythonLogicalLines(content) {
+    const logicalLines = [];
+    let pending = "";
+    let parenDepth = 0;
+    for (const rawLine of content.split(/\r?\n/)) {
+        const stripped = stripPythonLineComment(rawLine).trim();
+        if (stripped.length === 0) {
+            continue;
+        }
+        if (pending.length === 0 && !/^(?:import|from)\s+/i.test(stripped)) {
+            continue;
+        }
+        const continued = stripped.endsWith("\\");
+        const line = continued ? stripped.slice(0, -1).trimEnd() : stripped;
+        pending = pending.length > 0 ? `${pending} ${line}` : line;
+        parenDepth += pythonParenDelta(line);
+        if (!continued && parenDepth <= 0) {
+            logicalLines.push(pending.replace(/\s+/g, " ").trim());
+            pending = "";
+            parenDepth = 0;
+        }
+    }
+    if (pending.length > 0) {
+        logicalLines.push(pending.replace(/\s+/g, " ").trim());
+    }
+    return logicalLines;
+}
+function unwrapPythonImportList(value) {
+    let trimmed = value.trim();
+    if (trimmed.startsWith("(") && trimmed.endsWith(")")) {
+        trimmed = trimmed.slice(1, -1).trim();
+    }
+    return trimmed;
+}
+function splitPythonImportList(value) {
+    const items = [];
+    let current = "";
+    let quote;
+    let escaped = false;
+    let parenDepth = 0;
+    for (const char of unwrapPythonImportList(value)) {
+        if (escaped) {
+            current += char;
+            escaped = false;
+            continue;
+        }
+        if (quote) {
+            current += char;
+            if (char === "\\") {
+                escaped = true;
+            }
+            else if (char === quote) {
+                quote = undefined;
+            }
+            continue;
+        }
+        if (char === "'" || char === '"') {
+            current += char;
+            quote = char;
+            continue;
+        }
+        if (char === "(") {
+            parenDepth += 1;
+            current += char;
+            continue;
+        }
+        if (char === ")") {
+            parenDepth -= 1;
+            current += char;
+            continue;
+        }
+        if (char === "," && parenDepth === 0) {
+            const item = current.trim();
+            if (item.length > 0) {
+                items.push(item);
+            }
+            current = "";
+            continue;
+        }
+        current += char;
+    }
+    const item = current.trim();
+    if (item.length > 0) {
+        items.push(item);
+    }
+    return items;
+}
+function stripPythonAlias(value) {
+    return value.replace(/\s+as\s+[A-Za-z_]\w*$/i, "").trim();
+}
+function isPythonIdentifier(value) {
+    return /^[A-Za-z_]\w*$/.test(value);
+}
+function isPythonAbsoluteModuleSpecifier(value) {
+    return /^[A-Za-z_]\w*(?:\.[A-Za-z_]\w*)*$/.test(value);
+}
+function isPythonRelativeModuleSpecifier(value) {
+    return /^\.+(?:[A-Za-z_]\w*(?:\.[A-Za-z_]\w*)*)?$/.test(value);
+}
+function isPythonModuleSpecifier(value) {
+    return (isPythonAbsoluteModuleSpecifier(value) ||
+        isPythonRelativeModuleSpecifier(value));
+}
+function pythonModulePath(specifier) {
+    return specifier.split(".").filter(Boolean).join("/");
+}
+function resolvePythonPathCandidate(candidate, pathLookup) {
+    const normalized = normalizeGraphPath(candidate).replace(/\/+$/, "");
+    if (normalized.length === 0 || normalized === "." || normalized === "..") {
+        return undefined;
+    }
+    return resolveCandidate(normalized, pathLookup);
+}
+function pythonPathMatchesModule(path, modulePath) {
+    const normalizedPath = normalizeGraphPath(path).toLowerCase();
+    const normalizedModulePath = normalizeGraphPath(modulePath).toLowerCase();
+    return (PYTHON_SOURCE_EXTENSIONS.some((extension) => {
+        const moduleFile = `${normalizedModulePath}${extension}`;
+        return (normalizedPath === moduleFile ||
+            normalizedPath.endsWith(`/${moduleFile}`));
+    }) ||
+        PYTHON_PACKAGE_INDEX_FILES.some((indexFile) => {
+            const packageFile = posix.join(normalizedModulePath, indexFile);
+            return (normalizedPath === packageFile ||
+                normalizedPath.endsWith(`/${packageFile}`));
+        }));
+}
+function commonDirectoryPrefixLength(left, right) {
+    const leftParts = normalizeGraphPath(left).split("/").filter(Boolean);
+    const rightParts = normalizeGraphPath(right).split("/").filter(Boolean);
+    let count = 0;
+    while (count < leftParts.length &&
+        count < rightParts.length &&
+        leftParts[count].toLowerCase() === rightParts[count].toLowerCase()) {
+        count += 1;
+    }
+    return count;
+}
+function resolvePythonAbsoluteModuleSpecifier(fromPath, specifier, pathLookup) {
+    const modulePath = pythonModulePath(specifier);
+    const direct = resolvePythonPathCandidate(modulePath, pathLookup);
+    if (direct) {
+        return direct;
+    }
+    const matches = [...new Set(pathLookup.values())].filter((path) => isPythonSourcePath(path) && pythonPathMatchesModule(path, modulePath));
+    if (matches.length === 1) {
+        return matches[0];
+    }
+    if (matches.length === 0) {
+        return undefined;
+    }
+    const fromDir = posix.dirname(normalizeGraphPath(fromPath));
+    const scored = matches
+        .map((target) => ({
+        target,
+        score: commonDirectoryPrefixLength(fromDir, posix.dirname(normalizeGraphPath(target))),
+    }))
+        .sort((a, b) => b.score - a.score || a.target.localeCompare(b.target));
+    const bestScore = scored[0]?.score ?? 0;
+    const bestMatches = scored.filter((item) => item.score === bestScore);
+    if (bestScore > 0 && bestMatches.length === 1) {
+        return bestMatches[0].target;
+    }
+    const srcMatches = matches.filter((target) => normalizeGraphPath(target).toLowerCase().startsWith("src/"));
+    return srcMatches.length === 1 ? srcMatches[0] : undefined;
+}
+function resolvePythonRelativeModuleSpecifier(fromPath, specifier, pathLookup) {
+    const match = /^(\.+)(.*)$/.exec(specifier);
+    if (!match) {
+        return undefined;
+    }
+    const level = match[1].length;
+    const remainder = match[2] ?? "";
+    let baseDir = posix.dirname(normalizeGraphPath(fromPath));
+    for (let index = 1; index < level; index++) {
+        const next = posix.dirname(baseDir);
+        if (next === baseDir) {
+            return undefined;
+        }
+        baseDir = next;
+    }
+    const modulePath = pythonModulePath(remainder);
+    const candidate = modulePath.length > 0 ? posix.join(baseDir, modulePath) : baseDir;
+    return resolvePythonPathCandidate(candidate, pathLookup);
+}
+function resolvePythonModuleSpecifier(fromPath, specifier, pathLookup) {
+    if (isPythonRelativeModuleSpecifier(specifier)) {
+        return resolvePythonRelativeModuleSpecifier(fromPath, specifier, pathLookup);
+    }
+    if (isPythonAbsoluteModuleSpecifier(specifier)) {
+        return resolvePythonAbsoluteModuleSpecifier(fromPath, specifier, pathLookup);
+    }
+    return undefined;
+}
+function appendPythonImportedSpecifier(moduleSpecifier, importedName) {
+    return moduleSpecifier.endsWith(".")
+        ? `${moduleSpecifier}${importedName}`
+        : `${moduleSpecifier}.${importedName}`;
+}
+function addPythonImportEdge(edges, fromPath, target, kind, specifier) {
+    if (!target || target === fromPath) {
+        return;
+    }
+    edges.push(graphEdge({
+        from: fromPath,
+        to: target,
+        kind,
+        confidence: IMPORT_EDGE_CONFIDENCE,
+        reason: `Resolved Python import specifier '${specifier}'.`,
+    }));
+}
+export function extractPythonImportEdges(fromPath, content, pathLookup) {
+    if (!isPythonSourcePath(fromPath)) {
+        return [];
+    }
+    const edges = [];
+    for (const line of pythonLogicalLines(content)) {
+        const importMatch = /^import\s+(.+)$/i.exec(line);
+        if (importMatch) {
+            for (const rawSpecifier of splitPythonImportList(importMatch[1] ?? "")) {
+                const specifier = stripPythonAlias(rawSpecifier);
+                if (!isPythonAbsoluteModuleSpecifier(specifier)) {
+                    continue;
+                }
+                addPythonImportEdge(edges, fromPath, resolvePythonModuleSpecifier(fromPath, specifier, pathLookup), "python-import", specifier);
+            }
+            continue;
+        }
+        const fromImportMatch = /^from\s+([.\w]+)\s+import\s+(.+)$/i.exec(line);
+        if (!fromImportMatch) {
+            continue;
+        }
+        const moduleSpecifier = fromImportMatch[1] ?? "";
+        if (!isPythonModuleSpecifier(moduleSpecifier)) {
+            continue;
+        }
+        const importedNames = splitPythonImportList(fromImportMatch[2] ?? "")
+            .map(stripPythonAlias)
+            .filter((name) => name !== "*" && isPythonIdentifier(name));
+        const submoduleTargets = importedNames
+            .map((name) => appendPythonImportedSpecifier(moduleSpecifier, name))
+            .map((specifier) => ({
+            specifier,
+            target: resolvePythonModuleSpecifier(fromPath, specifier, pathLookup),
+        }))
+            .filter((item) => item.target);
+        if (submoduleTargets.length > 0) {
+            for (const { specifier, target } of submoduleTargets) {
+                addPythonImportEdge(edges, fromPath, target, "python-from-import", specifier);
+            }
+            continue;
+        }
+        addPythonImportEdge(edges, fromPath, resolvePythonModuleSpecifier(fromPath, moduleSpecifier, pathLookup), "python-from-import", moduleSpecifier);
+    }
+    return edges;
+}

package/dist/extractors/risk.d.ts

@@ -1,5 +1,4 @@
 import type { UnitManifest } from "../types.js";
 import type { ExternalAnalyzerResults } from "../types/externalAnalyzer.js";
-import type { CriticalFlowManifest } from "../types/flows.js";
-import type { RiskRegister } from "../types/risk.js";
+import type { CriticalFlowManifest, RiskRegister } from "@audit-tools/shared";
 export declare function buildRiskRegister(unitManifest: UnitManifest, criticalFlows?: CriticalFlowManifest, externalAnalyzerResults?: ExternalAnalyzerResults): RiskRegister;

package/dist/extractors/surfaces.d.ts

@@ -1,7 +1,5 @@
 import type { RepoManifest } from "../types.js";
-import type { FileDisposition } from "../types/disposition.js";
-import type { GraphBundle } from "../types/graph.js";
-import type { SurfaceManifest } from "../types/surfaces.js";
+import type { FileDisposition, GraphBundle, SurfaceManifest } from "@audit-tools/shared";
 /**
  * Detects likely execution surfaces from file paths using the shared extractor
  * heuristics, primarily to seed later audit planning.

package/dist/extractors/surfaces.js

@@ -1,5 +1,5 @@
 import { buildBrowserExtensionSurfacesFromGraph } from "./browserExtension.js";
-import { isAuditExcludedStatus } from "./disposition.js";
+import { buildDispositionMap, isAuditExcludedStatus } from "./disposition.js";
 import { EXTRACTOR_HEURISTIC_NOTE, isBackgroundSurfacePath, isNetworkSurfacePath, isSurfacePath, normalizeExtractorPath, } from "./pathPatterns.js";
 function methodsForPath(path) {
     const normalized = normalizeExtractorPath(path);
@@ -15,7 +15,7 @@ function methodsForPath(path) {
 export function buildSurfaceManifest(repoManifest, disposition, options = {}) {
     const surfaces = [];
     const seen = new Set();
-    const dispositionMap = new Map(disposition?.files.map((item) => [item.path, item.status]) ?? []);
+    const dispositionMap = buildDispositionMap(disposition);
     function addSurface(surface) {
         const key = `${surface.kind}:${surface.entrypoint}`;
         if (seen.has(key)) {

package/dist/io/artifacts.d.ts

@@ -2,15 +2,11 @@ import { cp, rm } from "node:fs/promises";
 import type { AuditResult, AuditTask, CoverageMatrix, RepoManifest, UnitManifest } from "../types.js";
 import type { AuditState } from "../types/auditState.js";
 import type { ArtifactMetadataManifest } from "../types/artifactMetadata.js";
-import type { FileDisposition } from "../types/disposition.js";
+import type { FileDisposition, CriticalFlowManifest, GraphBundle, RiskRegister, SurfaceManifest } from "@audit-tools/shared";
 import type { ExternalAnalyzerResults } from "../types/externalAnalyzer.js";
 import type { FlowCoverageManifest } from "../types/flowCoverage.js";
-import type { CriticalFlowManifest } from "../types/flows.js";
-import type { GraphBundle } from "../types/graph.js";
-import type { RiskRegister } from "../types/risk.js";
 import type { AuditPlanMetrics, ReviewPacket } from "../types/reviewPlanning.js";
 import type { RuntimeValidationReport, RuntimeValidationTaskManifest } from "../types/runtimeValidation.js";
-import type { SurfaceManifest } from "../types/surfaces.js";
 import type { DesignAssessment } from "../types/designAssessment.js";
 import type { ToolingManifest } from "../types/toolingManifest.js";
 type ArtifactPayloadMap = {

package/dist/io/artifacts.js

@@ -1,6 +1,6 @@
 import { cp, rm, unlink } from "node:fs/promises";
 import { join } from "node:path";
-import { isFileMissingError, readOptionalJsonFile, readOptionalNdjsonFile, readOptionalTextFile, writeJsonFile, writeNdjsonFile, writeTextFile, } from "./json.js";
+import { isFileMissingError, readOptionalJsonFile, readOptionalNdjsonFile, readOptionalTextFile, writeJsonFile, writeNdjsonFile, writeTextFile, } from "@audit-tools/shared";
 import { buildToolingManifest } from "./toolingManifest.js";
 function jsonArtifact(fileName, phase) {
     return {

package/dist/io/runArtifacts.js

@@ -1,7 +1,7 @@
 import { mkdir, readFile, rm, writeFile } from "node:fs/promises";
 import { dirname, join, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
-import { writeJsonFile } from "./json.js";
+import { writeJsonFile } from "@audit-tools/shared";
 const moduleDir = dirname(fileURLToPath(import.meta.url));
 const packageRoot = resolve(moduleDir, "..", "..");
 const auditResultSchemaPath = join(packageRoot, "schemas", "audit_result.schema.json");

package/dist/mcp/server.js

@@ -3,7 +3,7 @@ import { spawn } from "node:child_process";
 import { dirname, join, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 import { loadArtifactBundle } from "../io/artifacts.js";
-import { readOptionalTextFile } from "../io/json.js";
+import { readOptionalTextFile } from "@audit-tools/shared";
 import { deriveAuditState } from "../orchestrator/state.js";
 import { decideNextStep } from "../orchestrator/nextStep.js";
 import { buildAuditCodeHandoff, } from "../supervisor/operatorHandoff.js";

package/dist/orchestrator/advance.d.ts

@@ -10,6 +10,7 @@ export interface AdvanceAuditOptions {
     runtimeValidationUpdates?: RuntimeValidationReport;
     externalAnalyzerResults?: ExternalAnalyzerResults;
     preferredExecutor?: string;
+    opentoken?: boolean;
 }
 export interface AdvanceAuditResult {
     audit_state: AuditState;

package/dist/orchestrator/advance.js

@@ -1,4 +1,4 @@
-import { decideNextStep } from "./nextStep.js";
+import { decideNextStep, findObligation } from "./nextStep.js";
 import { deriveAuditState } from "./state.js";
 import { computeArtifactMetadata } from "./artifactMetadata.js";
 import { runIntakeExecutor, runStructureExecutor, runPlanningExecutor, runResultIngestionExecutor, runRuntimeValidationExecutor, runRuntimeValidationUpdateExecutor, runSynthesisExecutor, runDesignAssessmentExecutor, runDesignReviewAutoComplete, runExternalAnalyzerImportExecutor, } from "./internalExecutors.js";
@@ -70,7 +70,9 @@ export async function advanceAudit(bundle, options = {}) {
             case "runtime_validation_executor":
                 if (!options.root)
                     throw new Error("advanceAudit runtime_validation_executor requires root");
-                run = await runRuntimeValidationExecutor(bundle, options.root);
+                run = await runRuntimeValidationExecutor(bundle, options.root, {
+                    opentoken: options.opentoken,
+                });
                 break;
             case "synthesis_executor":
                 run = runSynthesisExecutor(bundle, options.auditResults);
@@ -95,7 +97,7 @@ export async function advanceAudit(bundle, options = {}) {
                     throw new Error("advanceAudit syntax_resolution_executor requires root");
                 run = runSyntaxResolutionExecutor(bundle, options.root);
                 break;
-            default:
+            default: {
                 const state = deriveAuditState(bundle);
                 state.last_executor = selectedExecutor;
                 state.last_obligation = selectedObligation ?? undefined;
@@ -109,6 +111,7 @@ export async function advanceAudit(bundle, options = {}) {
                     next_likely_step: selectedObligation,
                     updated_bundle: { ...bundle, audit_state: state },
                 };
+            }
         }
     }
     catch (error) {
@@ -124,7 +127,7 @@ export async function advanceAudit(bundle, options = {}) {
     updatedState.last_executor = selectedExecutor;
     updatedState.last_obligation = selectedObligation ?? undefined;
     const finalizedBundle = { ...metadataBundle, audit_state: updatedState };
-    const followupDecision = decideNextStep(finalizedBundle);
+    const nextObligation = findObligation(updatedState.obligations);
     return {
         audit_state: updatedState,
         selected_obligation: selectedObligation,
@@ -136,7 +139,7 @@ export async function advanceAudit(bundle, options = {}) {
             "audit_state.json",
         ],
         progress_summary: run.progress_summary,
-        next_likely_step: followupDecision.selected_obligation,
+        next_likely_step: nextObligation?.id ?? null,
         updated_bundle: finalizedBundle,
     };
 }

package/dist/orchestrator/auditTaskUtils.d.ts

@@ -0,0 +1,4 @@
+import type { AuditTask, Lens } from "../types.js";
+export declare const LENS_ORDER: Lens[];
+export declare function priorityRank(priority: AuditTask["priority"]): number;
+export declare function sortLenses(lenses: Iterable<Lens>): Lens[];

package/dist/orchestrator/auditTaskUtils.js

@@ -0,0 +1,27 @@
+export const LENS_ORDER = [
+    "security",
+    "correctness",
+    "reliability",
+    "data_integrity",
+    "performance",
+    "operability",
+    "config_deployment",
+    "observability",
+    "maintainability",
+    "tests",
+];
+export function priorityRank(priority) {
+    switch (priority) {
+        case "high":
+            return 3;
+        case "medium":
+            return 2;
+        case "low":
+        default:
+            return 1;
+    }
+}
+export function sortLenses(lenses) {
+    const set = new Set(lenses);
+    return LENS_ORDER.filter((lens) => set.has(lens));
+}

package/dist/orchestrator/fileAnchors.d.ts

@@ -1,5 +1,5 @@
 import type { ExternalAnalyzerResults } from "../types/externalAnalyzer.js";
-import type { GraphBundle } from "../types/graph.js";
+import type { GraphBundle } from "@audit-tools/shared";
 export type FileAnchorKind = "boundary" | "import" | "export" | "symbol" | "route" | "keyword" | "graph" | "analyzer_signal";
 export interface FileAnchor {
     kind: FileAnchorKind;

package/dist/orchestrator/fileIntegrity.d.ts

@@ -0,0 +1,7 @@
+import type { RepoManifest } from "../types.js";
+export interface FileIntegrityResult {
+    changed_files: string[];
+    missing_files: string[];
+    is_clean: boolean;
+}
+export declare function checkFileIntegrity(root: string, manifest: RepoManifest, scope?: string[]): Promise<FileIntegrityResult>;

package/dist/orchestrator/fileIntegrity.js

@@ -0,0 +1,41 @@
+import { createHash } from "node:crypto";
+import { readFile } from "node:fs/promises";
+import { join, isAbsolute } from "node:path";
+import { existsSync } from "node:fs";
+async function hashFile(absolutePath) {
+    const content = await readFile(absolutePath);
+    return createHash("sha256").update(content).digest("hex");
+}
+export async function checkFileIntegrity(root, manifest, scope) {
+    const changed = [];
+    const missing = [];
+    const scopeSet = scope ? new Set(scope) : null;
+    const files = scopeSet
+        ? manifest.files.filter((f) => scopeSet.has(f.path))
+        : manifest.files;
+    for (const record of files) {
+        if (!record.hash)
+            continue;
+        const absolute = isAbsolute(record.path)
+            ? record.path
+            : join(root, record.path);
+        if (!existsSync(absolute)) {
+            missing.push(record.path);
+            continue;
+        }
+        try {
+            const currentHash = await hashFile(absolute);
+            if (currentHash !== record.hash) {
+                changed.push(record.path);
+            }
+        }
+        catch {
+            missing.push(record.path);
+        }
+    }
+    return {
+        changed_files: changed,
+        missing_files: missing,
+        is_clean: changed.length === 0 && missing.length === 0,
+    };
+}

package/dist/orchestrator/flowCoverage.d.ts

@@ -1,4 +1,4 @@
 import type { CoverageMatrix } from "../types.js";
 import type { FlowCoverageManifest } from "../types/flowCoverage.js";
-import type { CriticalFlowManifest } from "../types/flows.js";
+import type { CriticalFlowManifest } from "@audit-tools/shared";
 export declare function buildFlowCoverage(criticalFlows: CriticalFlowManifest, coverageMatrix: CoverageMatrix): FlowCoverageManifest;

package/dist/orchestrator/flowPlanning.d.ts

@@ -1,5 +1,5 @@
 import type { Lens } from "../types.js";
-import type { CriticalFlowManifest } from "../types/flows.js";
+import type { CriticalFlowManifest } from "@audit-tools/shared";
 export interface FlowReviewBlock {
     flow_id: string;
     lens: Lens;

package/dist/orchestrator/flowRequeue.d.ts

@@ -1,5 +1,5 @@
 import type { ExternalAnalyzerResults } from "../types/externalAnalyzer.js";
 import type { AuditTask, CoverageMatrix } from "../types.js";
 import type { FlowCoverageManifest } from "../types/flowCoverage.js";
-import type { CriticalFlowManifest } from "../types/flows.js";
+import type { CriticalFlowManifest } from "@audit-tools/shared";
 export declare function buildFlowRequeueTasks(criticalFlows: CriticalFlowManifest, flowCoverage: FlowCoverageManifest, coverageMatrix: CoverageMatrix, externalAnalyzerResults?: ExternalAnalyzerResults): AuditTask[];

package/dist/orchestrator/internalExecutors.d.ts

@@ -17,7 +17,9 @@ export declare function runDesignAssessmentExecutor(bundle: ArtifactBundle): Exe
 export declare function runDesignReviewAutoComplete(bundle: ArtifactBundle): ExecutorRunResult;
 export declare function runPlanningExecutor(bundle: ArtifactBundle, root: string, lineIndex?: Record<string, number>): Promise<ExecutorRunResult>;
 export declare function runResultIngestionExecutor(bundle: ArtifactBundle, results: AuditResult[]): ExecutorRunResult;
-export declare function runRuntimeValidationExecutor(bundle: ArtifactBundle, root: string): Promise<ExecutorRunResult>;
+export declare function runRuntimeValidationExecutor(bundle: ArtifactBundle, root: string, options?: {
+    opentoken?: boolean;
+}): Promise<ExecutorRunResult>;
 export declare function runRuntimeValidationUpdateExecutor(bundle: ArtifactBundle, updates: RuntimeValidationReport): ExecutorRunResult;
 export declare function runSynthesisExecutor(bundle: ArtifactBundle, results?: AuditResult[]): ExecutorRunResult;
 export declare function runExternalAnalyzerImportExecutor(bundle: ArtifactBundle, externalResults: ExternalAnalyzerResults): ExecutorRunResult;

package/dist/orchestrator/internalExecutors.js

@@ -56,8 +56,21 @@ function appendSelectiveDeepeningTasks(params) {
         artifacts: ["audit_tasks.json", "audit_plan_metrics.json", "review_packets.json"],
     };
 }
-async function runCommand(command, cwd) {
-    const spawnCommand = resolveRuntimeValidationSpawnCommand(command);
+function resolveOpentokenWrap(resolved, platform = process.platform) {
+    if (platform === "win32") {
+        const shell = process.env.ComSpec ?? "cmd.exe";
+        const inner = [resolved.command, ...resolved.args]
+            .map((v) => (/^[A-Za-z0-9_./:=@+-]+$/.test(v) ? v : `"${v.replace(/(["^&|<>%])/g, "^$1")}"`))
+            .join(" ");
+        return { command: shell, args: ["/d", "/s", "/c", `opentoken wrap ${inner}`] };
+    }
+    return { command: "opentoken", args: ["wrap", resolved.command, ...resolved.args] };
+}
+async function runCommand(command, cwd, options = {}) {
+    let spawnCommand = resolveRuntimeValidationSpawnCommand(command);
+    if (options.opentoken) {
+        spawnCommand = resolveOpentokenWrap(spawnCommand);
+    }
     const displayCommand = command.join(" ");
     return await new Promise((resolve) => {
         const child = spawn(spawnCommand.command, spawnCommand.args, {
@@ -121,7 +134,7 @@ export async function runIntakeExecutor(bundle, root) {
     const repoManifest = await buildRepoManifestFromFs({
         root,
         ignore,
-        hash_files: false,
+        hash_files: true,
     });
     const disposition = buildFileDisposition(repoManifest);
     const auditableCount = disposition.files.filter((file) => !isAuditExcludedStatus(file.status)).length;
@@ -192,6 +205,11 @@ export function runDesignAssessmentExecutor(bundle) {
         criticalFlows: bundle.critical_flows,
         riskRegister: bundle.risk_register,
     });
+    const previous = bundle.design_assessment;
+    if (previous?.reviewed) {
+        designAssessment.reviewed = true;
+        designAssessment.review_findings = previous.review_findings ?? [];
+    }
     return {
         updated: {
             ...bundle,
@@ -354,7 +372,7 @@ export function runResultIngestionExecutor(bundle, results) {
                 : ""),
     };
 }
-export async function runRuntimeValidationExecutor(bundle, root) {
+export async function runRuntimeValidationExecutor(bundle, root, options = {}) {
     if (!bundle.runtime_validation_tasks) {
         throw new Error("Cannot execute runtime validation without runtime_validation_tasks");
     }
@@ -378,7 +396,7 @@ export async function runRuntimeValidationExecutor(bundle, root) {
             continue;
         }
         const signature = task.command.join("\0");
-        const outcome = byCommand.get(signature) ?? (await runCommand(task.command, root));
+        const outcome = byCommand.get(signature) ?? (await runCommand(task.command, root, { opentoken: options.opentoken }));
         byCommand.set(signature, outcome);
         byTaskId.set(task.id, {
             task_id: task.id,