auditor-lambda 0.3.40 → 0.3.41

package/dist/orchestrator/nextStep.d.ts

@@ -1,9 +1,10 @@
 import type { ArtifactBundle } from "../io/artifacts.js";
-import type { AuditState } from "../types/auditState.js";
+import type { AuditObligation, AuditState } from "../types/auditState.js";
 export interface NextStepDecision {
     state: AuditState;
     selected_obligation: string | null;
     selected_executor: string | null;
     reason: string;
 }
+export declare function findObligation(obligations: AuditObligation[]): AuditObligation | undefined;
 export declare function decideNextStep(bundle: ArtifactBundle): NextStepDecision;

package/dist/orchestrator/nextStep.js

@@ -14,7 +14,7 @@ const PRIORITY = [
     "runtime_validation_current",
     "synthesis_current",
 ];
-function findObligation(obligations) {
+export function findObligation(obligations) {
     for (const id of PRIORITY) {
         const item = obligations.find((o) => o.id === id);
         if (item && (item.state === "missing" || item.state === "stale")) {

package/dist/orchestrator/planning.d.ts

@@ -1,4 +1,4 @@
 import type { CoverageMatrix, RepoManifest, UnitManifest } from "../types.js";
-import type { FileDisposition } from "../types/disposition.js";
+import type { FileDisposition } from "@audit-tools/shared";
 import type { ExternalAnalyzerResults } from "../types/externalAnalyzer.js";
 export declare function initializeCoverageFromPlan(repoManifest: RepoManifest, unitManifest: UnitManifest, disposition: FileDisposition, externalAnalyzerResults?: ExternalAnalyzerResults): CoverageMatrix;

package/dist/orchestrator/requeueCommand.d.ts

@@ -1,7 +1,7 @@
 import type { ExternalAnalyzerResults } from "../types/externalAnalyzer.js";
 import type { CoverageMatrix } from "../types.js";
 import type { FlowCoverageManifest } from "../types/flowCoverage.js";
-import type { CriticalFlowManifest } from "../types/flows.js";
+import type { CriticalFlowManifest } from "@audit-tools/shared";
 export declare function buildRequeuePayload(matrix: CoverageMatrix, criticalFlows?: CriticalFlowManifest, flowCoverage?: FlowCoverageManifest, externalAnalyzerResults?: ExternalAnalyzerResults): {
     task_count: number;
     file_task_count: number;

package/dist/orchestrator/reviewPackets.d.ts

@@ -1,6 +1,6 @@
 import type { AuditTask } from "../types.js";
 import type { AuditPlanMetrics, ReviewPacket } from "../types/reviewPlanning.js";
-import type { GraphBundle } from "../types/graph.js";
+import type { GraphBundle } from "@audit-tools/shared";
 export declare const ESTIMATED_TOKENS_PER_LINE = 4;
 export declare const ESTIMATED_PACKET_PROMPT_TOKENS = 900;
 export declare function estimateTaskGroupTokens(tasks: AuditTask[]): number;

package/dist/orchestrator/reviewPackets.js

@@ -1,5 +1,7 @@
 import { createHash } from "node:crypto";
-import { LENS_ORDER } from "./unitBuilder.js";
+import { isRecord } from "@audit-tools/shared";
+import { LENS_ORDER, priorityRank, sortLenses } from "./auditTaskUtils.js";
+import { UnionFind } from "./unionFind.js";
 const DEFAULT_MAX_TASKS_PER_PACKET = 0;
 const DEFAULT_TARGET_PACKET_LINES = 8000;
 export const ESTIMATED_TOKENS_PER_LINE = 4;
@@ -57,24 +59,9 @@ const BROAD_ANALYZER_OWNERSHIP_ROOTS = new Set([
     "spec",
     "specs",
 ]);
-function priorityRank(priority) {
-    switch (priority) {
-        case "high":
-            return 3;
-        case "medium":
-            return 2;
-        case "low":
-        default:
-            return 1;
-    }
-}
 function normalizePriority(priority) {
     return priority ?? "low";
 }
-function sortLenses(lenses) {
-    const set = new Set(lenses);
-    return LENS_ORDER.filter((lens) => set.has(lens));
-}
 function lineCountForPath(task, path, lineIndex) {
     return task.file_line_counts?.[path] ?? lineIndex?.[path] ?? 0;
 }
@@ -102,9 +89,6 @@ function buildTaskGroups(tasks) {
 function normalizeGraphPath(path) {
     return path.replace(/\\/g, "/").replace(/^\.\//, "").toLowerCase();
 }
-function isRecord(value) {
-    return value !== null && typeof value === "object" && !Array.isArray(value);
-}
 function collectGraphEdges(graphBundle) {
     if (!graphBundle?.graphs) {
         return [];
@@ -255,33 +239,16 @@ function groupsOverlap(a, b) {
     }
     return false;
 }
-function buildGraphConnectedComponentIndex(groups, graphEdges) {
-    const groupKeys = [...groups.keys()];
-    const parent = new Map(groupKeys.map((key) => [key, key]));
+function unionFindFromGroups(groups, graphEdges) {
+    const uf = new UnionFind(groups.keys());
     const fileToGroupKeys = buildFileToGroupKeys(groups);
     const degreeIndex = buildGraphDegreeIndex(graphEdges);
-    function find(key) {
-        const current = parent.get(key) ?? key;
-        if (current === key)
-            return key;
-        const root = find(current);
-        parent.set(key, root);
-        return root;
-    }
-    function union(a, b) {
-        const rootA = find(a);
-        const rootB = find(b);
-        if (rootA === rootB)
-            return;
-        const [keep, move] = rootA.localeCompare(rootB) <= 0 ? [rootA, rootB] : [rootB, rootA];
-        parent.set(move, keep);
-    }
     for (const keys of fileToGroupKeys.values()) {
         const [first, ...rest] = [...keys].sort((a, b) => a.localeCompare(b));
         if (!first)
             continue;
         for (const key of rest) {
-            union(first, key);
+            uf.union(first, key);
         }
     }
     for (const edge of graphEdges) {
@@ -295,11 +262,15 @@ function buildGraphConnectedComponentIndex(groups, graphEdges) {
         }
         for (const fromKey of fromGroups) {
             for (const toKey of toGroups) {
-                union(fromKey, toKey);
+                uf.union(fromKey, toKey);
             }
         }
     }
-    return new Map(groupKeys.map((key) => [key, find(key)]));
+    return uf;
+}
+function buildGraphConnectedComponentIndex(groups, graphEdges) {
+    const uf = unionFindFromGroups(groups, graphEdges);
+    return new Map([...groups.keys()].map((key) => [key, uf.find(key)]));
 }
 function subsystemRootForPath(path) {
     const segments = normalizeGraphPath(path).split("/").filter(Boolean);
@@ -435,39 +406,18 @@ function isCargoManifestPath(path) {
 function isMavenPomPath(path) {
     return normalizeGraphPath(path).split("/").at(-1) === "pom.xml";
 }
-function typescriptProjectRoot(path) {
-    const segments = normalizeGraphPath(path).split("/").filter(Boolean);
-    if (!isTypescriptProjectConfigPath(path) || segments.length < 2) {
-        return undefined;
-    }
-    return segments.slice(0, -1).join("/");
-}
-function goModuleRoot(path) {
-    const segments = normalizeGraphPath(path).split("/").filter(Boolean);
-    if (!isGoModuleManifestPath(path) || segments.length < 2) {
-        return undefined;
-    }
-    return segments.slice(0, -1).join("/");
-}
-function cargoModuleRoot(path) {
+function configFileRoot(path, predicate) {
     const segments = normalizeGraphPath(path).split("/").filter(Boolean);
-    if (!isCargoManifestPath(path) || segments.length < 2) {
-        return undefined;
-    }
-    return segments.slice(0, -1).join("/");
-}
-function mavenModuleRoot(path) {
-    const segments = normalizeGraphPath(path).split("/").filter(Boolean);
-    if (!isMavenPomPath(path) || segments.length < 2) {
+    if (!predicate(path) || segments.length < 2) {
         return undefined;
     }
     return segments.slice(0, -1).join("/");
 }
 function moduleConfigRoot(path) {
-    return (typescriptProjectRoot(path) ??
-        goModuleRoot(path) ??
-        cargoModuleRoot(path) ??
-        mavenModuleRoot(path));
+    return (configFileRoot(path, isTypescriptProjectConfigPath) ??
+        configFileRoot(path, isGoModuleManifestPath) ??
+        configFileRoot(path, isCargoManifestPath) ??
+        configFileRoot(path, isMavenPomPath));
 }
 function analyzerOwnershipRoot(path) {
     const root = normalizeGraphPath(path).replace(/\/+$/, "");
@@ -860,52 +810,10 @@ function chunkPacketTasks(tasks, options) {
     return chunks;
 }
 function mergeGraphConnectedGroups(groups, graphEdges) {
-    const groupKeys = [...groups.keys()];
-    const parent = new Map(groupKeys.map((key) => [key, key]));
-    const fileToGroupKeys = buildFileToGroupKeys(groups);
-    const degreeIndex = buildGraphDegreeIndex(graphEdges);
-    function find(key) {
-        const current = parent.get(key) ?? key;
-        if (current === key)
-            return key;
-        const root = find(current);
-        parent.set(key, root);
-        return root;
-    }
-    function union(a, b) {
-        const rootA = find(a);
-        const rootB = find(b);
-        if (rootA === rootB)
-            return;
-        const [keep, move] = rootA.localeCompare(rootB) <= 0 ? [rootA, rootB] : [rootB, rootA];
-        parent.set(move, keep);
-    }
-    for (const keys of fileToGroupKeys.values()) {
-        const [first, ...rest] = [...keys].sort((a, b) => a.localeCompare(b));
-        if (!first)
-            continue;
-        for (const key of rest) {
-            union(first, key);
-        }
-    }
-    for (const edge of graphEdges) {
-        if (!isPacketExpansionEdge(edge, degreeIndex)) {
-            continue;
-        }
-        const fromGroups = fileToGroupKeys.get(normalizeGraphPath(edge.from));
-        const toGroups = fileToGroupKeys.get(normalizeGraphPath(edge.to));
-        if (!fromGroups || !toGroups) {
-            continue;
-        }
-        for (const fromKey of fromGroups) {
-            for (const toKey of toGroups) {
-                union(fromKey, toKey);
-            }
-        }
-    }
+    const uf = unionFindFromGroups(groups, graphEdges);
     const merged = new Map();
-    for (const key of groupKeys) {
-        const root = find(key);
+    for (const key of groups.keys()) {
+        const root = uf.find(key);
         const current = merged.get(root) ?? [];
         current.push(...(groups.get(key) ?? []));
         merged.set(root, current);

package/dist/orchestrator/runtimeValidation.d.ts

@@ -1,6 +1,6 @@
 import type { UnitManifest } from "../types.js";
 import type { FlowCoverageManifest } from "../types/flowCoverage.js";
-import type { CriticalFlowManifest } from "../types/flows.js";
+import type { CriticalFlowManifest } from "@audit-tools/shared";
 import type { RuntimeValidationReport, RuntimeValidationTaskManifest } from "../types/runtimeValidation.js";
 export declare function discoverRuntimeValidationCommand(root: string): Promise<string[] | undefined>;
 export declare function buildRuntimeValidationTasks(params: {

package/dist/orchestrator/taskBuilder.d.ts

@@ -1,6 +1,6 @@
 import type { ExternalAnalyzerResults } from "../types/externalAnalyzer.js";
 import type { AuditTask, CoverageMatrix, Lens } from "../types.js";
-import type { CriticalFlowManifest } from "../types/flows.js";
+import type { CriticalFlowManifest } from "@audit-tools/shared";
 export interface UnitLineIndex {
     [path: string]: number;
 }

package/dist/orchestrator/taskBuilder.js

@@ -1,6 +1,6 @@
 import { claimFlowReviewBlocks } from "./flowPlanning.js";
 import { isTrivialAuditPath } from "./trivialAudit.js";
-import { LENS_ORDER } from "./unitBuilder.js";
+import { LENS_ORDER, priorityRank } from "./auditTaskUtils.js";
 import { isTestPath, normalizeExtractorPath, } from "../extractors/pathPatterns.js";
 function taskPriority(hasExternalSignal, lens, isCriticalFlow = false) {
     if (isCriticalFlow) {
@@ -17,17 +17,6 @@ function taskPriority(hasExternalSignal, lens, isCriticalFlow = false) {
     }
     return lens === "security" || lens === "data_integrity" ? "medium" : "low";
 }
-function priorityRank(priority) {
-    switch (priority) {
-        case "high":
-            return 3;
-        case "medium":
-            return 2;
-        case "low":
-        default:
-            return 1;
-    }
-}
 function pickAnalyzerLens(category) {
     const normalized = category.toLowerCase();
     if (normalized.includes("security") ||

package/dist/orchestrator/unionFind.d.ts

@@ -0,0 +1,7 @@
+export declare class UnionFind {
+    private readonly parent;
+    constructor(keys: Iterable<string>);
+    find(key: string): string;
+    union(a: string, b: string): void;
+    groups(): Map<string, string[]>;
+}

package/dist/orchestrator/unionFind.js

@@ -0,0 +1,32 @@
+export class UnionFind {
+    parent;
+    constructor(keys) {
+        this.parent = new Map([...keys].map((key) => [key, key]));
+    }
+    find(key) {
+        const current = this.parent.get(key) ?? key;
+        if (current === key)
+            return key;
+        const root = this.find(current);
+        this.parent.set(key, root);
+        return root;
+    }
+    union(a, b) {
+        const rootA = this.find(a);
+        const rootB = this.find(b);
+        if (rootA === rootB)
+            return;
+        const [keep, move] = rootA.localeCompare(rootB) <= 0 ? [rootA, rootB] : [rootB, rootA];
+        this.parent.set(move, keep);
+    }
+    groups() {
+        const result = new Map();
+        for (const key of this.parent.keys()) {
+            const root = this.find(key);
+            const group = result.get(root) ?? [];
+            group.push(key);
+            result.set(root, group);
+        }
+        return result;
+    }
+}

package/dist/orchestrator/unitBuilder.d.ts

@@ -1,6 +1,6 @@
 import type { Lens, RepoManifest, UnitManifest } from "../types.js";
-import type { FileDisposition } from "../types/disposition.js";
-export declare const LENS_ORDER: Lens[];
+import type { FileDisposition } from "@audit-tools/shared";
+export { LENS_ORDER, sortLenses } from "./auditTaskUtils.js";
 export declare function deriveRequiredLensesForPath(path: string, options?: {
     isBrowserExtensionProject?: boolean;
 }): Lens[];

package/dist/orchestrator/unitBuilder.js

@@ -1,7 +1,8 @@
 import { deriveBrowserExtensionLensesForPath, hasBrowserExtensionManifestFile, inferBrowserExtensionUnitKind, } from "../extractors/browserExtension.js";
 import { bucketFile } from "../extractors/bucketing.js";
-import { isAuditExcludedStatus } from "../extractors/disposition.js";
+import { buildDispositionMap, isAuditExcludedStatus } from "../extractors/disposition.js";
 import { pathTokens, normalizeExtractorPath } from "../extractors/pathPatterns.js";
+import { sortLenses } from "./auditTaskUtils.js";
 const LENS_MAP = {
     runtime: ["correctness", "maintainability", "tests", "observability"],
     interface: ["correctness", "security", "reliability", "tests", "observability"],
@@ -76,22 +77,7 @@ function inferUnitId(path, kind) {
     }
     return `${kind}-${path.replace(/[^a-zA-Z0-9_-]/g, "-")}`;
 }
-export const LENS_ORDER = [
-    "security",
-    "correctness",
-    "reliability",
-    "data_integrity",
-    "performance",
-    "operability",
-    "config_deployment",
-    "observability",
-    "maintainability",
-    "tests",
-];
-function sortLenses(lenses) {
-    const set = new Set(lenses);
-    return LENS_ORDER.filter((lens) => set.has(lens));
-}
+export { LENS_ORDER, sortLenses } from "./auditTaskUtils.js";
 function applyExtensionLensGuards(path, lenses) {
     const n = path.toLowerCase();
     if (n.endsWith(".schema.json") || n.endsWith(".schema.ts")) {
@@ -142,7 +128,7 @@ function inferCriticalFlows(files, requiredLenses) {
 export function buildUnitManifest(repoManifest, disposition) {
     const units = new Map();
     const isBrowserExtensionProject = hasBrowserExtensionManifestFile(repoManifest);
-    const dispositionMap = new Map(disposition?.files.map((item) => [item.path, item.status]) ?? []);
+    const dispositionMap = buildDispositionMap(disposition);
     for (const file of repoManifest.files) {
         const status = dispositionMap.get(file.path);
         if (file.excluded || (status && isAuditExcludedStatus(status))) {

package/dist/prompts/renderWorkerPrompt.js

@@ -2,6 +2,20 @@ import { usesDeferredWorkerCommand, } from "../types/workerSession.js";
 function renderArgv(task) {
     return JSON.stringify(task.worker_command);
 }
+function renderAccessSection(access) {
+    const lines = ["", "## File access"];
+    if (access.read_paths.length > 0) {
+        lines.push(`Read: ${access.read_paths.join(", ")}`);
+    }
+    if (access.write_paths.length > 0) {
+        lines.push(`Write: ${access.write_paths.join(", ")}`);
+    }
+    if (access.forbidden_patterns && access.forbidden_patterns.length > 0) {
+        lines.push(`Forbidden: ${access.forbidden_patterns.join(", ")}`);
+    }
+    lines.push("Do not read or write files outside these paths.");
+    return lines;
+}
 export function renderWorkerPrompt(task) {
     const commandArgv = renderArgv(task);
     if (task.preferred_executor === "agent" && task.audit_results_path) {
@@ -12,7 +26,7 @@ export function renderWorkerPrompt(task) {
             `Read: ${tasksPath}`,
             "Scope: review only the tasks listed in the Read file. Do not add tasks,",
             "edit source files, remediate findings, run unrelated audits, or write result_path.",
-            "Prefer host Read and Grep tools for source inspection. On native Windows, do not use Unix pipelines like `grep ... | head`; if shell search is unavoidable, use `Select-String` as a fallback.",
+            "Use host Read and Grep tools for source inspection. Do not use shell search commands.",
             "For each listed task: read the assigned file_paths under the specified lens,",
             "using targeted reads/searches where they give complete enough evidence without loading unrelated context,",
             "and emit exactly one AuditResult object with:",
@@ -34,6 +48,9 @@ export function renderWorkerPrompt(task) {
         else {
             lines.push("After writing audit_results_path, execute worker_command from task.json exactly.", "The worker command ingests audit_results_path and writes result_path.", `Command: ${commandArgv}`);
         }
+        if (task.access) {
+            lines.push(...renderAccessSection(task.access));
+        }
         return lines.join("\n");
     }
     return [

package/dist/providers/claudeCodeProvider.d.ts

@@ -1,11 +1,11 @@
-import type { FreshSessionProvider, LaunchFreshSessionInput } from "./types.js";
-import type { ClaudeCodeConfig } from "../types/sessionConfig.js";
+import type { FreshSessionProvider, LaunchFreshSessionInput, ClaudeCodeConfig, OpenTokenConfig } from "@audit-tools/shared";
 import { spawnLoggedCommand } from "./spawnLoggedCommand.js";
 export declare const ACTIVE_CLAUDE_CODE_SESSION_MESSAGE: string;
 export declare class ClaudeCodeProvider implements FreshSessionProvider {
     name: string;
     private readonly config;
+    private readonly opentoken;
     private readonly launchCommand;
-    constructor(config?: ClaudeCodeConfig, launchCommand?: typeof spawnLoggedCommand);
-    launch(input: LaunchFreshSessionInput): Promise<import("./types.js").LaunchFreshSessionResult>;
+    constructor(config?: ClaudeCodeConfig, launchCommand?: typeof spawnLoggedCommand, opentoken?: OpenTokenConfig);
+    launch(input: LaunchFreshSessionInput): Promise<import("@audit-tools/shared").LaunchFreshSessionResult>;
 }

package/dist/providers/claudeCodeProvider.js

@@ -6,10 +6,12 @@ export const ACTIVE_CLAUDE_CODE_SESSION_MESSAGE = "claude-code provider cannot b
 export class ClaudeCodeProvider {
     name = "claude-code";
     config;
+    opentoken;
     launchCommand;
-    constructor(config = {}, launchCommand = spawnLoggedCommand) {
+    constructor(config = {}, launchCommand = spawnLoggedCommand, opentoken = {}) {
         this.config = config;
         this.launchCommand = launchCommand;
+        this.opentoken = opentoken;
     }
     async launch(input) {
         if (process.env.CLAUDECODE) {
@@ -17,14 +19,18 @@ export class ClaudeCodeProvider {
         }
         const prompt = await readFile(input.promptPath, "utf8");
         const command = this.config.command ?? "claude";
+        const promptFlag = this.config.prompt_flag ?? "-p";
         const args = [
-            "-p",
+            promptFlag,
             prompt,
             ...(this.config.extra_args ?? []),
             ...(this.config.dangerously_skip_permissions
                 ? ["--dangerously-skip-permissions"]
                 : []),
         ];
-        return await this.launchCommand(command, args, input);
+        return await this.launchCommand(command, args, input, undefined, {
+            opentoken: this.opentoken.enabled,
+            opentokenCommand: this.opentoken.command,
+        });
     }
 }

package/dist/providers/constants.d.ts

@@ -1 +1 @@
-export declare const LOCAL_SUBPROCESS_PROVIDER_NAME: "local-subprocess";
+export { LOCAL_SUBPROCESS_PROVIDER_NAME } from "@audit-tools/shared";

package/dist/providers/constants.js

@@ -1 +1 @@
-export const LOCAL_SUBPROCESS_PROVIDER_NAME = "local-subprocess";
+export { LOCAL_SUBPROCESS_PROVIDER_NAME } from "@audit-tools/shared";

package/dist/providers/index.d.ts

@@ -1,5 +1,4 @@
-import type { FreshSessionProvider } from "./types.js";
-import type { ResolvedProviderName, SessionConfig } from "../types/sessionConfig.js";
+import type { FreshSessionProvider, ResolvedProviderName, SessionConfig } from "@audit-tools/shared";
 export declare function resolveFreshSessionProviderName(name: string | undefined, sessionConfig?: SessionConfig, options?: {
     env?: NodeJS.ProcessEnv;
     commandExists?: (command: string) => boolean;

package/dist/providers/index.js

@@ -64,6 +64,7 @@ export function resolveFreshSessionProviderName(name, sessionConfig = {}, option
 }
 export function createFreshSessionProvider(name, sessionConfig = {}) {
     const providerName = resolveFreshSessionProviderName(name, sessionConfig);
+    const opentoken = sessionConfig.opentoken ?? {};
     if (providerName === "local-subprocess" &&
         (name ?? sessionConfig.provider) === "auto") {
         process.stderr.write("audit-code: auto provider resolved to local-subprocess — no capable agent provider detected. " +
@@ -77,16 +78,16 @@ export function createFreshSessionProvider(name, sessionConfig = {}) {
             if (!sessionConfig.subprocess_template?.command_template?.length) {
                 throw new Error("subprocess-template provider requires session-config.json with subprocess_template.command_template.");
             }
-            return new SubprocessTemplateProvider(sessionConfig.subprocess_template);
+            return new SubprocessTemplateProvider(sessionConfig.subprocess_template, undefined, opentoken);
         case "claude-code":
-            return new ClaudeCodeProvider(sessionConfig.claude_code);
+            return new ClaudeCodeProvider(sessionConfig.claude_code, undefined, opentoken);
         case "opencode":
-            return new OpenCodeProvider(sessionConfig.opencode);
+            return new OpenCodeProvider(sessionConfig.opencode, opentoken);
         case "vscode-task":
             if (!sessionConfig.vscode_task?.command_template?.length) {
                 throw new Error("vscode-task provider requires session-config.json with vscode_task.command_template.");
             }
-            return new VSCodeTaskProvider(sessionConfig.vscode_task);
+            return new VSCodeTaskProvider(sessionConfig.vscode_task, opentoken);
         default:
             throw new Error(`Unknown provider: ${providerName}`);
     }

package/dist/providers/localSubprocessProvider.d.ts

@@ -1,9 +1,9 @@
-import type { FreshSessionProvider, LaunchFreshSessionInput } from "./types.js";
+import type { FreshSessionProvider, LaunchFreshSessionInput } from "@audit-tools/shared";
 import { spawnLoggedCommand } from "./spawnLoggedCommand.js";
 export declare const MISSING_WORKER_COMMAND_MESSAGE = "local-subprocess provider requires task.worker_command.";
 export declare class LocalSubprocessProvider implements FreshSessionProvider {
     name: string;
     private readonly launchCommand;
     constructor(launchCommand?: typeof spawnLoggedCommand);
-    launch(input: LaunchFreshSessionInput): Promise<import("./types.js").LaunchFreshSessionResult>;
+    launch(input: LaunchFreshSessionInput): Promise<import("@audit-tools/shared").LaunchFreshSessionResult>;
 }

package/dist/providers/localSubprocessProvider.js

@@ -1,4 +1,4 @@
-import { readJsonFile } from "../io/json.js";
+import { readJsonFile } from "@audit-tools/shared";
 import { spawnLoggedCommand } from "./spawnLoggedCommand.js";
 export const MISSING_WORKER_COMMAND_MESSAGE = "local-subprocess provider requires task.worker_command.";
 export class LocalSubprocessProvider {

package/dist/providers/opencodeProvider.d.ts

@@ -1,8 +1,8 @@
-import type { FreshSessionProvider, LaunchFreshSessionInput } from "./types.js";
-import type { OpenCodeConfig } from "../types/sessionConfig.js";
+import type { FreshSessionProvider, LaunchFreshSessionInput, OpenCodeConfig, OpenTokenConfig } from "@audit-tools/shared";
 export declare class OpenCodeProvider implements FreshSessionProvider {
     name: string;
     private readonly config;
-    constructor(config?: OpenCodeConfig);
-    launch(input: LaunchFreshSessionInput): Promise<import("./types.js").LaunchFreshSessionResult>;
+    private readonly opentoken;
+    constructor(config?: OpenCodeConfig, opentoken?: OpenTokenConfig);
+    launch(input: LaunchFreshSessionInput): Promise<import("@audit-tools/shared").LaunchFreshSessionResult>;
 }

package/dist/providers/opencodeProvider.js

@@ -22,14 +22,19 @@ function quoteCmdArg(value) {
 export class OpenCodeProvider {
     name = "opencode";
     config;
-    constructor(config = {}) {
+    opentoken;
+    constructor(config = {}, opentoken = {}) {
         this.config = config;
+        this.opentoken = opentoken;
     }
     async launch(input) {
         const prompt = await readFile(input.promptPath, "utf8");
         const baseCommand = this.config.command ?? "opencode";
         const baseArgs = ["run", prompt, ...(this.config.extra_args ?? [])];
         const resolved = resolveOpenCodeSpawnCommand(baseCommand, baseArgs);
-        return await spawnLoggedCommand(resolved.command, resolved.args, input);
+        return await spawnLoggedCommand(resolved.command, resolved.args, input, undefined, {
+            opentoken: this.opentoken.enabled,
+            opentokenCommand: this.opentoken.command,
+        });
     }
 }

package/dist/providers/spawnLoggedCommand.d.ts

@@ -1,10 +1,12 @@
 import { createWriteStream } from "node:fs";
 import { spawn } from "node:child_process";
-import type { LaunchFreshSessionInput, LaunchFreshSessionResult } from "./types.js";
+import type { LaunchFreshSessionInput, LaunchFreshSessionResult } from "@audit-tools/shared";
 interface SpawnLoggedCommandOptions {
     createWriteStream?: typeof createWriteStream;
     spawn?: typeof spawn;
     killGraceMs?: number;
+    opentoken?: boolean;
+    opentokenCommand?: string;
 }
 export declare function spawnLoggedCommand(command: string, args: string[], input: LaunchFreshSessionInput, env?: Record<string, string>, options?: SpawnLoggedCommandOptions): Promise<LaunchFreshSessionResult>;
 export {};

package/dist/providers/spawnLoggedCommand.js

@@ -6,6 +6,22 @@ const FORCE_KILL_GRACE_MS = 1_000;
 function formatCommand(command, args) {
     return [command, ...args].join(" ");
 }
+function quoteCmdArg(value) {
+    if (/^[A-Za-z0-9_./:=@+-]+$/.test(value))
+        return value;
+    return `"${value.replace(/(["^&|<>%])/g, "^$1")}"`;
+}
+function applyOpenTokenWrap(command, args, opentokenCommand, platform = process.platform) {
+    if (platform === "win32") {
+        const shell = process.env.ComSpec ?? "cmd.exe";
+        const inner = [command, ...args].map(quoteCmdArg).join(" ");
+        return {
+            command: shell,
+            args: ["/d", "/s", "/c", `${opentokenCommand} wrap ${inner}`],
+        };
+    }
+    return { command: opentokenCommand, args: ["wrap", command, ...args] };
+}
 // On Windows `command` must be the resolved .cmd / .exe path because `spawn`
 // does not consult PATH for executables without a shell. Callers should use
 // `platformCommand()` (scripts/smoke-packaged-audit-code.mjs) or similar to
@@ -14,6 +30,11 @@ export async function spawnLoggedCommand(command, args, input, env, options = {}
     const openWriteStream = options.createWriteStream ?? createWriteStream;
     const spawnProcess = options.spawn ?? spawn;
     const killGraceMs = options.killGraceMs ?? FORCE_KILL_GRACE_MS;
+    if (options.opentoken) {
+        const wrapped = applyOpenTokenWrap(command, args, options.opentokenCommand ?? "opentoken");
+        command = wrapped.command;
+        args = wrapped.args;
+    }
     return await new Promise((resolve, reject) => {
         const stdoutLog = openWriteStream(input.stdoutPath, { flags: "a" });
         const stderrLog = openWriteStream(input.stderrPath, { flags: "a" });

package/dist/providers/subprocessTemplateProvider.d.ts

@@ -1,8 +1,8 @@
-import type { FreshSessionProvider, LaunchFreshSessionInput } from "./types.js";
-import type { SubprocessTemplateConfig } from "../types/sessionConfig.js";
+import type { FreshSessionProvider, LaunchFreshSessionInput, SubprocessTemplateConfig, OpenTokenConfig } from "@audit-tools/shared";
 export declare class SubprocessTemplateProvider implements FreshSessionProvider {
     name: string;
     private readonly config;
-    constructor(config: SubprocessTemplateConfig, name?: string);
-    launch(input: LaunchFreshSessionInput): Promise<import("./types.js").LaunchFreshSessionResult>;
+    private readonly opentoken;
+    constructor(config: SubprocessTemplateConfig, name?: string, opentoken?: OpenTokenConfig);
+    launch(input: LaunchFreshSessionInput): Promise<import("@audit-tools/shared").LaunchFreshSessionResult>;
 }