auditor-lambda 0.3.40 → 0.5.0

package/dist/types/auditScope.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Phase 3 — `--since` delta scope.
+ *
+ * `scope.json` records how the audit was scoped for a given run: a full audit
+ * (the default), or a delta audit measured against a git ref. In delta mode the
+ * orchestrator audits only the changed files (`seed_files`) and their nearest
+ * graph neighbours (`expanded_files`); every other auditable file inherits its
+ * prior completion or is excluded from this run. The artifact is a deterministic
+ * function of the inputs (the ref, the changed files, the graph) so the same
+ * inputs always yield the same scope, and it is recorded honestly in the report
+ * header and the run log. It sits upstream of `coverage_matrix.json` in the
+ * staleness DAG.
+ */
+export interface AuditScopeBudget {
+    /**
+     * Upper bound on the number of in-scope files (seeds + expanded). Seeds are
+     * always retained; expansion stops once this cap is reached.
+     */
+    max_files: number;
+}
+export interface AuditScopeManifest {
+    /** `full` audits every auditable file; `delta` scopes to a changed neighbourhood. */
+    mode: "full" | "delta";
+    /** Git ref/SHA the delta was measured against; `null` in full mode. */
+    since: string | null;
+    /**
+     * Changed auditable files (relative to `since`) that exist in the repo
+     * manifest. Empty in full mode. Sorted for determinism.
+     */
+    seed_files: string[];
+    /**
+     * Auditable files pulled in by deterministic priority-frontier expansion over
+     * the dependency graph (graph neighbours of the seeds). Sorted for determinism.
+     */
+    expanded_files: string[];
+    /** The budget applied during expansion. */
+    budget: AuditScopeBudget;
+    /**
+     * Human-readable note when the scope was truncated by the budget, or when a
+     * requested `--since` could not be honoured and the run fell back to full.
+     */
+    dropped_note?: string;
+}

package/dist/types/auditScope.js

@@ -0,0 +1,14 @@
+/**
+ * Phase 3 — `--since` delta scope.
+ *
+ * `scope.json` records how the audit was scoped for a given run: a full audit
+ * (the default), or a delta audit measured against a git ref. In delta mode the
+ * orchestrator audits only the changed files (`seed_files`) and their nearest
+ * graph neighbours (`expanded_files`); every other auditable file inherits its
+ * prior completion or is excluded from this run. The artifact is a deterministic
+ * function of the inputs (the ref, the changed files, the graph) so the same
+ * inputs always yield the same scope, and it is recorded honestly in the report
+ * header and the run log. It sits upstream of `coverage_matrix.json` in the
+ * staleness DAG.
+ */
+export {};

package/dist/types/reviewPlanning.d.ts

@@ -1,5 +1,5 @@
 import type { AuditTask, Lens } from "../types.js";
-import type { GraphEdge } from "./graph.js";
+import type { GraphEdge } from "@audit-tools/shared";
 export interface ReviewPacketGraphEdge extends Pick<GraphEdge, "from" | "to" | "kind" | "confidence" | "reason"> {
 }
 export interface ReviewPacketQuality {

package/dist/types/synthesisNarrative.d.ts

@@ -0,0 +1,7 @@
+export type SynthesisNarrativeStatus = "applied" | "omitted";
+export interface SynthesisNarrativeRecord {
+    status: SynthesisNarrativeStatus;
+    theme_count: number;
+    executive_summary_present: boolean;
+    top_risk_count: number;
+}

package/dist/types/synthesisNarrative.js

@@ -0,0 +1,5 @@
+// Marker artifact recording whether the optional Phase 6 synthesis-narrative
+// pass was applied or deliberately omitted. Its presence (and freshness against
+// `audit-findings.json`) satisfies the `synthesis_narrative_current` obligation;
+// the narrative content itself lives in `audit-findings.json`.
+export {};

package/dist/types/workerSession.d.ts

@@ -1,5 +1,10 @@
 export declare const WORKER_COMMAND_MODES: readonly ["run", "deferred"];
 export type WorkerCommandMode = (typeof WORKER_COMMAND_MODES)[number];
+export interface AccessDeclaration {
+    read_paths: string[];
+    write_paths: string[];
+    forbidden_patterns?: string[];
+}
 /**
  * Worker tasks serialize directly to task.json, so their persisted field names
  * intentionally stay snake_case for consistency across providers and bridges.
@@ -22,5 +27,6 @@ export interface WorkerTask {
     skip_worker_command?: boolean;
     timeout_ms?: number;
     max_retries?: number;
+    access?: AccessDeclaration;
 }
 export declare function usesDeferredWorkerCommand(task: Pick<WorkerTask, "worker_command_mode" | "skip_worker_command">): boolean;

package/dist/types.d.ts

@@ -1,3 +1,4 @@
+import type { Finding as SharedFinding } from "@audit-tools/shared";
 export type Lens = "correctness" | "architecture" | "maintainability" | "security" | "reliability" | "performance" | "data_integrity" | "tests" | "operability" | "config_deployment" | "observability";
 export interface FileRecord {
     path: string;
@@ -67,26 +68,8 @@ export interface AuditTask {
     completed_at?: string;
     completion_reason?: string;
 }
-export interface Finding {
-    id: string;
-    title: string;
-    category: string;
-    severity: "critical" | "high" | "medium" | "low" | "info";
-    confidence: "high" | "medium" | "low";
+export interface Finding extends Omit<SharedFinding, "lens"> {
     lens: Lens;
-    summary: string;
-    affected_files: Array<{
-        path: string;
-        line_start?: number;
-        line_end?: number;
-        symbol?: string;
-    }>;
-    impact?: string;
-    likelihood?: string;
-    evidence?: string[];
-    reproduction?: string[];
-    systemic?: boolean;
-    related_findings?: string[];
 }
 export interface AuditVerification {
     verified: boolean;

package/dist/validation/artifacts.d.ts

@@ -1,3 +1,3 @@
 import type { ArtifactBundle } from "../io/artifacts.js";
-import { type ValidationIssue } from "./basic.js";
+import { type ValidationIssue } from "@audit-tools/shared";
 export declare function validateArtifactBundle(bundle: ArtifactBundle): ValidationIssue[];

package/dist/validation/artifacts.js

@@ -1,4 +1,4 @@
-import { pushValidationIssue, requireKeys, } from "./basic.js";
+import { pushValidationIssue, requireKeys, } from "@audit-tools/shared";
 function pushIssue(issues, path, message) {
     pushValidationIssue(issues, path, message);
 }
@@ -19,6 +19,15 @@ export function validateArtifactBundle(bundle) {
     if (bundle.coverage_matrix) {
         issues.push(...requireKeys(bundle.coverage_matrix, "coverage_matrix", ["files"]));
     }
+    if (bundle.scope) {
+        issues.push(...requireKeys(bundle.scope, "scope", [
+            "mode",
+            "since",
+            "seed_files",
+            "expanded_files",
+            "budget",
+        ]));
+    }
     if (bundle.graph_bundle) {
         issues.push(...requireKeys(bundle.graph_bundle, "graph_bundle", ["graphs"]));
     }

package/dist/validation/auditResults.d.ts

@@ -1,5 +1,5 @@
 import type { AuditTask } from "../types.js";
-import { type ValidationIssue } from "./basic.js";
+import { type ValidationIssue } from "@audit-tools/shared";
 export type IssueSeverity = "error" | "warning";
 export declare function normalizeCoveragePath(path: string): string;
 export interface AuditResultIssue extends ValidationIssue {

package/dist/validation/auditResults.js

@@ -1,4 +1,4 @@
-import { describeValue, formatValidationIssues, isRecord, } from "./basic.js";
+import { describeValue, formatValidationIssues, isRecord, } from "@audit-tools/shared";
 export function normalizeCoveragePath(path) {
     return path.replace(/\\/g, "/").replace(/^\.\//, "");
 }

package/dist/validation/sessionConfig.d.ts

@@ -1,8 +1,7 @@
-import { type SessionConfig } from "../types/sessionConfig.js";
-import { type ValidationIssue } from "./basic.js";
+import { type SessionConfig, type ValidationIssue } from "@audit-tools/shared";
 export declare function validateSessionConfig(value: unknown): ValidationIssue[];
 export declare function validateConfiguredProviderEnvironment(sessionConfig: SessionConfig, options?: {
     commandExists?: (command: string) => boolean;
     pathExists?: (commandPath: string) => boolean;
 }): ValidationIssue[];
-export { formatValidationIssues } from "./basic.js";
+export { formatValidationIssues } from "@audit-tools/shared";

package/dist/validation/sessionConfig.js

@@ -1,9 +1,9 @@
 import { spawnSync } from "node:child_process";
 import { accessSync, constants } from "node:fs";
-import { PROVIDER_NAMES, SESSION_UI_MODES, } from "../types/sessionConfig.js";
-import { isRecord, pushValidationIssue, } from "./basic.js";
+import { ANALYZER_SETTINGS, PROVIDER_NAMES, SESSION_UI_MODES, isRecord, pushValidationIssue, } from "@audit-tools/shared";
 const VALID_PROVIDERS = new Set(PROVIDER_NAMES);
 const VALID_UI_MODES = new Set(SESSION_UI_MODES);
+const VALID_ANALYZER_SETTINGS = new Set(ANALYZER_SETTINGS);
 function pushIssue(issues, path, message) {
     pushValidationIssue(issues, path, message);
 }
@@ -159,6 +159,28 @@ export function validateSessionConfig(value) {
     validateTemplateProviderSection(value.vscode_task, "vscode_task", issues, provider === "vscode-task");
     validateAgentProviderSection(value.claude_code, "claude_code", issues);
     validateAgentProviderSection(value.opencode, "opencode", issues);
+    if (value.synthesis !== undefined) {
+        if (!isRecord(value.synthesis)) {
+            pushIssue(issues, "synthesis", "synthesis must be a JSON object.");
+        }
+        else if (value.synthesis.narrative !== undefined &&
+            typeof value.synthesis.narrative !== "boolean") {
+            pushIssue(issues, "synthesis.narrative", "synthesis.narrative must be a boolean when provided.");
+        }
+    }
+    if (value.analyzers !== undefined) {
+        if (!isRecord(value.analyzers)) {
+            pushIssue(issues, "analyzers", "analyzers must be a JSON object mapping analyzer id to a setting.");
+        }
+        else {
+            for (const [id, setting] of Object.entries(value.analyzers)) {
+                if (typeof setting !== "string" ||
+                    !VALID_ANALYZER_SETTINGS.has(setting)) {
+                    pushIssue(issues, `analyzers.${id}`, `analyzers.${id} must be one of: ${Array.from(VALID_ANALYZER_SETTINGS).join(", ")}.`);
+                }
+            }
+        }
+    }
     return issues;
 }
 export function validateConfiguredProviderEnvironment(sessionConfig, options = {}) {
@@ -192,4 +214,4 @@ export function validateConfiguredProviderEnvironment(sessionConfig, options = {
     }
     return issues;
 }
-export { formatValidationIssues } from "./basic.js";
+export { formatValidationIssues } from "@audit-tools/shared";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auditor-lambda",
-  "version": "0.3.40",
+  "version": "0.5.0",
   "private": false,
   "description": "Portable hybrid code-auditing framework for arbitrary repositories.",
   "type": "module",
@@ -34,7 +34,6 @@
     "smoke:linked-audit-code": "node scripts/smoke-linked-audit-code.mjs",
     "smoke:packaged-audit-code": "node scripts/smoke-packaged-audit-code.mjs",
     "prepack": "npm run build",
-    "prepare": "npm run build",
     "prepublishOnly": "npm run verify:release",
     "start": "node dist/index.js",
     "audit-code": "node audit-code.mjs",
@@ -65,10 +64,15 @@
     "orchestration",
     "agents"
   ],
+  "dependencies": {
+    "@audit-tools/shared": "*"
+  },
   "devDependencies": {
     "@types/node": "^24.3.0",
     "ajv": "^8.17.1",
     "linguist-languages": "^9.3.2",
-    "typescript": "^5.9.2"
+    "tree-sitter-wasms": "^0.1.13",
+    "typescript": "^5.9.2",
+    "web-tree-sitter": "^0.25.10"
   }
 }

package/schemas/analyzer_capability.schema.json

@@ -0,0 +1,47 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "analyzer_capability.schema.json",
+  "title": "Analyzer Capability Record",
+  "description": "Marker artifact (analyzer_capability.json) recording the outcome of the optional Phase 5 graph-enrichment pass. Its presence and freshness against graph_bundle.json satisfy the graph_enrichment_current obligation. The merged edges live in graph_bundle.json.",
+  "type": "object",
+  "required": ["status", "analyzers"],
+  "properties": {
+    "status": {
+      "type": "string",
+      "enum": ["applied", "omitted"],
+      "description": "'applied' when at least one analyzer contributed edges/routes; 'omitted' otherwise (regex floor unchanged)."
+    },
+    "analyzers": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["id", "resolution", "setting", "edges_added", "routes_added"],
+        "properties": {
+          "id": { "type": "string", "minLength": 1 },
+          "resolution": {
+            "type": "string",
+            "enum": [
+              "repo",
+              "cache",
+              "installed",
+              "absent",
+              "skip",
+              "not_applicable"
+            ],
+            "description": "How the analyzer's dependency resolved, or why it did not run."
+          },
+          "setting": {
+            "type": "string",
+            "enum": ["repo", "ephemeral", "permanent", "skip", "auto"],
+            "description": "Resolved analyzers.<id> session-config setting."
+          },
+          "edges_added": { "type": "integer", "minimum": 0 },
+          "routes_added": { "type": "integer", "minimum": 0 },
+          "note": { "type": "string" }
+        },
+        "additionalProperties": false
+      }
+    }
+  },
+  "additionalProperties": false
+}

package/schemas/audit_findings.schema.json

@@ -0,0 +1,141 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "audit_findings.schema.json",
+  "title": "Audit Findings Report",
+  "description": "The canonical machine contract emitted as audit-findings.json and consumed by the remediator. Deterministic fields are always present; themes/executive_summary/top_risks are added by the optional synthesis-narrative pass.",
+  "type": "object",
+  "required": ["contract_version", "summary", "findings", "work_blocks"],
+  "properties": {
+    "contract_version": { "type": "string", "minLength": 1 },
+    "summary": {
+      "type": "object",
+      "required": [
+        "finding_count",
+        "work_block_count",
+        "severity_breakdown",
+        "audited_file_count",
+        "excluded_file_count",
+        "runtime_validation_status_breakdown"
+      ],
+      "properties": {
+        "finding_count": { "type": "integer", "minimum": 0 },
+        "work_block_count": { "type": "integer", "minimum": 0 },
+        "severity_breakdown": {
+          "type": "object",
+          "additionalProperties": { "type": "integer", "minimum": 0 }
+        },
+        "audited_file_count": { "type": "integer", "minimum": 0 },
+        "excluded_file_count": { "type": "integer", "minimum": 0 },
+        "runtime_validation_status_breakdown": {
+          "type": "object",
+          "additionalProperties": { "type": "integer", "minimum": 0 }
+        }
+      },
+      "additionalProperties": false
+    },
+    "findings": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": [
+          "id",
+          "title",
+          "category",
+          "severity",
+          "confidence",
+          "lens",
+          "summary",
+          "affected_files"
+        ],
+        "properties": {
+          "id": { "type": "string" },
+          "title": { "type": "string" },
+          "category": { "type": "string", "minLength": 1 },
+          "severity": {
+            "type": "string",
+            "enum": ["critical", "high", "medium", "low", "info"]
+          },
+          "confidence": { "type": "string", "enum": ["high", "medium", "low"] },
+          "lens": { "type": "string", "minLength": 1 },
+          "summary": { "type": "string" },
+          "affected_files": {
+            "type": "array",
+            "minItems": 1,
+            "items": {
+              "type": "object",
+              "required": ["path"],
+              "properties": {
+                "path": { "type": "string" },
+                "line_start": { "type": "integer", "minimum": 1 },
+                "line_end": { "type": "integer", "minimum": 1 },
+                "symbol": { "type": "string" },
+                "hash_at_plan_time": { "type": "string" }
+              },
+              "additionalProperties": false
+            }
+          },
+          "impact": { "type": "string" },
+          "likelihood": { "type": "string" },
+          "evidence": { "type": "array", "items": { "type": "string" } },
+          "reproduction": { "type": "array", "items": { "type": "string" } },
+          "systemic": { "type": "boolean" },
+          "related_findings": { "type": "array", "items": { "type": "string" } },
+          "theme_id": { "type": "string" }
+        },
+        "additionalProperties": false
+      }
+    },
+    "work_blocks": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": [
+          "id",
+          "finding_ids",
+          "unit_ids",
+          "owned_files",
+          "max_severity",
+          "rationale",
+          "depends_on"
+        ],
+        "properties": {
+          "id": { "type": "string" },
+          "finding_ids": { "type": "array", "items": { "type": "string" } },
+          "unit_ids": { "type": "array", "items": { "type": "string" } },
+          "owned_files": { "type": "array", "items": { "type": "string" } },
+          "max_severity": {
+            "type": "string",
+            "enum": ["critical", "high", "medium", "low", "info"]
+          },
+          "rationale": { "type": "string" },
+          "depends_on": { "type": "array", "items": { "type": "string" } }
+        },
+        "additionalProperties": false
+      }
+    },
+    "themes": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": [
+          "theme_id",
+          "title",
+          "root_cause",
+          "finding_ids",
+          "suggested_fix_pattern"
+        ],
+        "properties": {
+          "theme_id": { "type": "string" },
+          "title": { "type": "string" },
+          "root_cause": { "type": "string" },
+          "finding_ids": { "type": "array", "items": { "type": "string" } },
+          "suggested_fix_pattern": { "type": "string" }
+        },
+        "additionalProperties": false
+      }
+    },
+    "executive_summary": { "type": "string" },
+    "top_risks": { "type": "array", "items": { "type": "string" } }
+  },
+  "additionalProperties": false
+}

package/schemas/finding.schema.json

@@ -72,7 +72,8 @@
       "type": "array",
       "minItems": 1,
       "items": { "type": "string" }
-    }
+    },
+    "theme_id": { "type": "string" }
   },
   "additionalProperties": false
 }

package/schemas/graph_bundle.schema.json

@@ -116,6 +116,11 @@
         }
       },
       "additionalProperties": true
+    },
+    "analyzers_used": {
+      "type": "array",
+      "items": { "type": "string" },
+      "description": "Ids of the language analyzers whose edges were merged into this bundle by the optional graph-enrichment pass. Absent/empty when only the regex floor was used."
     }
   },
   "additionalProperties": false

package/schemas/scope.schema.json

@@ -0,0 +1,46 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "scope.schema.json",
+  "title": "Audit Scope Manifest",
+  "description": "scope.json — records how a run was scoped (Phase 3 `--since` delta mode). A deterministic function of the git ref, the changed files, and the dependency graph. Sits upstream of coverage_matrix.json in the staleness DAG: in delta mode only seed + expanded files are (re)queued for audit; every other auditable file inherits its prior completion or is excluded from this run.",
+  "type": "object",
+  "required": ["mode", "since", "seed_files", "expanded_files", "budget"],
+  "properties": {
+    "mode": {
+      "type": "string",
+      "enum": ["full", "delta"],
+      "description": "'full' audits every auditable file; 'delta' scopes to a changed neighbourhood."
+    },
+    "since": {
+      "type": ["string", "null"],
+      "description": "Git ref/SHA the delta was measured against; null in full mode."
+    },
+    "seed_files": {
+      "type": "array",
+      "items": { "type": "string" },
+      "description": "Changed auditable files (relative to `since`) present in the repo manifest. Sorted."
+    },
+    "expanded_files": {
+      "type": "array",
+      "items": { "type": "string" },
+      "description": "Auditable graph neighbours pulled in by priority-frontier expansion. Sorted."
+    },
+    "budget": {
+      "type": "object",
+      "required": ["max_files"],
+      "properties": {
+        "max_files": {
+          "type": "integer",
+          "minimum": 1,
+          "description": "Upper bound on in-scope files (seeds + expanded); expansion stops once reached."
+        }
+      },
+      "additionalProperties": false
+    },
+    "dropped_note": {
+      "type": "string",
+      "description": "Set when scope was truncated by the budget, or when `--since` could not be honoured and the run fell back to full."
+    }
+  },
+  "additionalProperties": false
+}

package/scripts/postinstall.mjs

@@ -80,7 +80,6 @@ const OPENCODE_AUDIT_BASH_PERMISSION = {
   'git status*': 'allow',
   'git diff*': 'allow',
   'grep *': 'allow',
-  'Select-String *': 'allow',
   'rm *': 'deny',
 };
 

package/dist/io/json.d.ts

@@ -1,10 +0,0 @@
-export declare function isFileMissingError(error: unknown): boolean;
-export declare function readJsonFile<T>(path: string): Promise<T>;
-export declare function writeJsonFile(path: string, value: unknown): Promise<void>;
-export declare function appendNdjsonFile(path: string, value: unknown): Promise<void>;
-export declare function readNdjsonFile<T>(path: string): Promise<T[]>;
-export declare function readOptionalJsonFile<T>(path: string): Promise<T | undefined>;
-export declare function readOptionalNdjsonFile<T>(path: string): Promise<T[] | undefined>;
-export declare function writeNdjsonFile(path: string, values: unknown[]): Promise<void>;
-export declare function readOptionalTextFile(path: string): Promise<string | undefined>;
-export declare function writeTextFile(path: string, value: string): Promise<void>;