auditor-lambda 0.3.41 → 0.6.0

package/dist/cli.js

@@ -1,4 +1,4 @@
-import { mkdir, readFile, readdir, rename, rm, unlink } from "node:fs/promises";
+import { mkdir, readFile, readdir, rename, rm, unlink, writeFile } from "node:fs/promises";
 import { homedir } from "node:os";
 import { basename, dirname, join, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
@@ -10,8 +10,8 @@ import { buildUnitManifest } from "./orchestrator/unitBuilder.js";
 import { buildFlowCoverage } from "./orchestrator/flowCoverage.js";
 import { buildRuntimeValidationTasks, } from "./orchestrator/runtimeValidation.js";
 import { initializeCoverageFromPlan } from "./orchestrator/planning.js";
-import { loadArtifactBundle, writeCoreArtifacts, promoteFinalAuditReport, } from "./io/artifacts.js";
-import { isFileMissingError, readJsonFile, writeJsonFile, prefixValidationIssues } from "@audit-tools/shared";
+import { loadArtifactBundle, writeCoreArtifacts, promoteFinalAuditReport, AUDIT_REPORT_FILENAME, } from "./io/artifacts.js";
+import { isFileMissingError, readJsonFile, writeJsonFile, prefixValidationIssues, RunLogger } from "@audit-tools/shared";
 import { validateArtifactBundle } from "./validation/artifacts.js";
 import { validateAuditResults, formatAuditResultIssues, } from "./validation/auditResults.js";
 import { validateConfiguredProviderEnvironment, validateSessionConfig, } from "./validation/sessionConfig.js";
@@ -20,21 +20,26 @@ import { deriveAuditState } from "./orchestrator/state.js";
 import { advanceAudit } from "./orchestrator/advance.js";
 import { checkFileIntegrity } from "./orchestrator/fileIntegrity.js";
 import { decideNextStep } from "./orchestrator/nextStep.js";
+import { collectLowConfidenceEdges, buildEdgeReasoningPrompt, edgeReasoningContentHash, } from "./orchestrator/edgeReasoning.js";
 import { renderDesignReviewPrompt } from "./orchestrator/designReviewPrompt.js";
+import { renderSynthesisNarrativePrompt } from "./reporting/synthesisNarrativePrompt.js";
 import { createFreshSessionProvider, resolveFreshSessionProviderName, } from "./providers/index.js";
 import { appendRunLedgerEntry, loadRunLedger } from "./supervisor/runLedger.js";
 import { buildAuditCodeHandoff, writeAuditCodeHandoffArtifacts, } from "./supervisor/operatorHandoff.js";
-import { getSessionConfigPath, loadSessionConfig, readSessionConfigFile, } from "./supervisor/sessionConfig.js";
+import { getSessionConfigPath, loadSessionConfig, persistAnalyzerSettings, readSessionConfigFile, } from "./supervisor/sessionConfig.js";
+import { resolveAnalyzerPlan, needsInstallDecision, } from "./extractors/analyzers/registry.js";
+import { buildPathLookup } from "./extractors/graph.js";
+import { buildDispositionMap } from "./extractors/disposition.js";
 import { clearDispatchFiles, buildRunId, ensureSupervisorDirs, getRunPaths, writeDispatchBatchFiles, writeWorkerTaskFiles, } from "./io/runArtifacts.js";
 import { renderWorkerPrompt } from "./prompts/renderWorkerPrompt.js";
-import { estimateTaskGroupTokens, } from "./orchestrator/reviewPackets.js";
+import { estimateTaskGroupTokens, sizeIndexFromManifest, } from "./orchestrator/reviewPackets.js";
 import { LOCAL_SUBPROCESS_PROVIDER_NAME } from "./providers/constants.js";
 import { runAuditCodeMcpServer } from "./mcp/server.js";
 import { scheduleWave, buildProviderModelKey, readQuotaState, recordWaveOutcome, resolveLimits, resolveHostActiveSubagentLimit, probeProvider, computeMaxSafeConcurrency, getQuotaStatePath, detectRateLimitError, computeCooldownUntil, runSlidingWindow, LearnedQuotaSource, CompositeQuotaSource, lookupDiscoveredLimits, updateDiscoveredLimits, mergeDiscoveredLimits, getHeaderExtractorForProvider, setQuotaStateDir, } from "./quota/index.js";
 // Re-exports from extracted modules
 export { resolveHostDispatchCapability, DIRECT_CLI_DEFAULTS, getFlag, hasFlag, getOptionalBooleanFlag, getArtifactsDir, getRootDir, getBatchResultsDir, getMaxRuns, getAgentBatchSize, getParallelWorkers, getTimeoutMs, chunkArray, getUiMode, looksLikeCliFlag, countLines, warnIfNotGitRepo, } from "./cli/args.js";
 import { DIRECT_CLI_DEFAULTS, getFlag, hasFlag, getOptionalBooleanFlag, fromBase64Url, renderCommand, summarizeLaunchExit, taskResultPath, readStdinText, getArtifactsDir, getRootDir, warnIfNotGitRepo, getBatchResultsDir, getMaxRuns, getAgentBatchSize, getParallelWorkers, getTimeoutMs, getExplicitProvider, getHostModel, getHostMaxActiveSubagents, getQuotaProbeMode, resolveRunProviderName, chunkArray, getUiMode, looksLikeCliFlag, resolveHostDispatchCapability, countLines, listBatchResultFiles, } from "./cli/args.js";
-import { nextStepCommand, mergeAndIngestCommand, renderDispatchReviewPrompt, renderSingleTaskFallbackStepPrompt, renderPresentReportPrompt, renderBlockedStepPrompt, } from "./cli/prompts.js";
+import { nextStepCommand, mergeAndIngestCommand, renderDispatchReviewPrompt, renderSingleTaskFallbackStepPrompt, renderPresentReportPrompt, renderAnalyzerInstallPrompt, renderEdgeReasoningStepPrompt, renderEdgeReasoningDispatchPrompt, renderBlockedStepPrompt, } from "./cli/prompts.js";
 import { writeCurrentStep, } from "./cli/steps.js";
 import { WORKER_RESULT_CONTRACT_VERSION, buildWorkerResult, persistWorkerRunArtifacts, isWorkerResult, buildWorkerFailureBlocker, formatAuditResultValidationError, } from "./cli/workerResult.js";
 import { DISPATCH_RESULT_MAP_FILENAME, ACTIVE_DISPATCH_FILENAME, resolveRunScopedArg, loadDispatchResultMap, entriesByTaskId, buildPendingAuditTasks, prepareDispatchArtifacts, } from "./cli/dispatch.js";
@@ -313,9 +318,15 @@ async function maybeArchiveLegacyPendingResults(auditResultsPath) {
 }
 async function runAuditStep(options) {
     const bundle = await loadArtifactBundle(options.artifactsDir);
+    const runLogger = new RunLogger(join(options.artifactsDir, "run.log.jsonl"), {
+        enabled: options.runLog ?? true,
+    });
     const lineIndex = bundle.repo_manifest
         ? await buildLineIndex(options.root, bundle.repo_manifest)
         : undefined;
+    const sizeIndex = bundle.repo_manifest
+        ? sizeIndexFromManifest(bundle.repo_manifest)
+        : undefined;
     if (looksLikeCliFlag(options.auditResultsPath)) {
         throw new Error(`Invalid audit results path '${options.auditResultsPath}'. This looks like a CLI flag rather than a file path.`);
     }
@@ -343,14 +354,27 @@ async function runAuditStep(options) {
     const externalAnalyzerResults = options.externalAnalyzerPath
         ? await readJsonFile(options.externalAnalyzerPath)
         : undefined;
+    const narrativeResults = options.narrativeResultsPath
+        ? await readJsonFile(options.narrativeResultsPath)
+        : undefined;
+    const edgeReasoningResults = options.edgeReasoningResultsPath
+        ? await readJsonFile(options.edgeReasoningResultsPath)
+        : undefined;
     const result = await advanceAudit(bundle, {
         root: options.root,
         lineIndex,
+        sizeIndex,
         auditResults: auditResults,
         runtimeValidationUpdates,
         externalAnalyzerResults,
+        narrativeResults,
+        edgeReasoningResults,
+        analyzers: options.analyzers,
+        graphLlmEdgeReasoning: options.graphLlmEdgeReasoning,
+        since: options.since,
         preferredExecutor: options.preferredExecutor,
         opentoken: options.opentoken,
+        runLogger,
     });
     await writeCoreArtifacts(options.artifactsDir, result.updated_bundle);
     const archivedPendingResults = await maybeArchiveLegacyPendingResults(options.auditResultsPath);
@@ -555,7 +579,11 @@ async function cmdAdvanceAudit(argv) {
         auditResultsPath: getFlag(argv, "--results"),
         runtimeUpdatesPath: getFlag(argv, "--updates"),
         externalAnalyzerPath,
+        analyzers: sessionConfig.analyzers,
+        graphLlmEdgeReasoning: sessionConfig.graph?.llm_edge_reasoning,
+        since: getFlag(argv, "--since"),
         opentoken: sessionConfig.opentoken?.enabled,
+        runLog: sessionConfig.observability?.run_log,
     });
     if (result.selected_executor !== "agent") {
         await clearDispatchFiles(artifactsDir);
@@ -579,6 +607,7 @@ async function cmdAdvanceAudit(argv) {
 }
 async function runDeterministicForNextStep(params) {
     let lastSummary = "";
+    let analyzers = params.analyzers;
     for (let index = 0; index < params.maxRuns; index++) {
         const bundle = await loadArtifactBundle(params.artifactsDir);
         const decision = decideNextStep(bundle);
@@ -601,8 +630,8 @@ async function runDeterministicForNextStep(params) {
                 state,
                 bundle,
                 finalReportPath: promoted.promoted
-                    ? join(params.root, "audit-report.md")
-                    : join(params.artifactsDir, "audit-report.md"),
+                    ? join(params.root, AUDIT_REPORT_FILENAME)
+                    : join(params.artifactsDir, AUDIT_REPORT_FILENAME),
             };
         }
         if (index === 0 && bundle.repo_manifest) {
@@ -621,6 +650,89 @@ async function runDeterministicForNextStep(params) {
                 }
             }
         }
+        if (decision.selected_executor === "graph_enrichment_executor") {
+            const includedFiles = bundle.repo_manifest
+                ? [
+                    ...new Set(buildPathLookup(bundle.repo_manifest, buildDispositionMap(bundle.file_disposition)).values()),
+                ]
+                : [];
+            const plan = resolveAnalyzerPlan(params.root, analyzers, includedFiles);
+            const unresolved = plan.filter(needsInstallDecision);
+            if (unresolved.length > 0) {
+                const decisionsPath = join(params.artifactsDir, "incoming", "analyzer-decisions.json");
+                let decisions;
+                try {
+                    decisions = await readJsonFile(decisionsPath);
+                }
+                catch (error) {
+                    if (!isFileMissingError(error))
+                        throw error;
+                }
+                if (decisions && typeof decisions === "object") {
+                    const settings = {};
+                    for (const [id, value] of Object.entries(decisions)) {
+                        if (value === "ephemeral" ||
+                            value === "permanent" ||
+                            value === "skip" ||
+                            value === "repo" ||
+                            value === "auto") {
+                            settings[id] = value;
+                        }
+                    }
+                    if (Object.keys(settings).length > 0) {
+                        const merged = await persistAnalyzerSettings(params.artifactsDir, settings);
+                        analyzers = merged.analyzers;
+                    }
+                    await unlink(decisionsPath).catch(() => { });
+                    continue;
+                }
+                return {
+                    kind: "analyzer_install",
+                    state,
+                    bundle,
+                    unresolved,
+                };
+            }
+            // Phase 4B — optional edge-reasoning producing turn. Once analyzer installs
+            // are resolved, if the flag is on and the floor carries low-confidence
+            // (< 0.65) edges, emit one bounded host turn (subagent dispatch or a single
+            // host step) to produce reason rewrites, then re-run. The enrichment
+            // executor applies the host-supplied rewrites in the SAME advanceAudit call
+            // that merges analyzer edges and writes analyzer_capability, so graph_bundle
+            // and its marker stay revision-consistent (no staleness loop). Flag off or
+            // no candidates → fall through and run the executor with no rewrites.
+            if (params.graphLlmEdgeReasoning === true && bundle.graph_bundle) {
+                const candidates = collectLowConfidenceEdges(bundle.graph_bundle);
+                if (candidates.length > 0) {
+                    const edgeReasoningResultsPath = join(params.artifactsDir, "incoming", "edge-reasoning.json");
+                    let edgeReasoningResults;
+                    try {
+                        edgeReasoningResults = await readJsonFile(edgeReasoningResultsPath);
+                    }
+                    catch (error) {
+                        if (!isFileMissingError(error))
+                            throw error;
+                    }
+                    if (edgeReasoningResults) {
+                        await runAuditStep({
+                            root: params.root,
+                            artifactsDir: params.artifactsDir,
+                            analyzers,
+                            graphLlmEdgeReasoning: true,
+                            edgeReasoningResultsPath,
+                            since: params.since,
+                            opentoken: params.opentoken,
+                        });
+                        await unlink(edgeReasoningResultsPath).catch(() => { });
+                        continue;
+                    }
+                    return { kind: "edge_reasoning", state, bundle, candidates };
+                }
+            }
+            // No undecided installs (and no pending edge reasoning): fall through to run
+            // the executor below (it installs for ephemeral/permanent, uses repo/cache,
+            // skips the rest).
+        }
         if (decision.selected_executor === "design_review") {
             const findingsPath = join(params.artifactsDir, "incoming", "design-review-findings.json");
             let reviewFindings;
@@ -647,6 +759,36 @@ async function runDeterministicForNextStep(params) {
                 bundle,
             };
         }
+        if (decision.selected_executor === "synthesis_narrative_executor") {
+            const narrativePath = join(params.artifactsDir, "incoming", "synthesis-narrative.json");
+            let narrativeResults;
+            try {
+                narrativeResults = await readJsonFile(narrativePath);
+            }
+            catch (error) {
+                if (!isFileMissingError(error))
+                    throw error;
+            }
+            if (narrativeResults) {
+                await runAuditStep({
+                    root: params.root,
+                    artifactsDir: params.artifactsDir,
+                    preferredExecutor: "synthesis_narrative_executor",
+                    narrativeResultsPath: narrativePath,
+                    opentoken: params.opentoken,
+                });
+                await unlink(narrativePath).catch(() => { });
+                continue;
+            }
+            if (params.narrativeEnabled) {
+                return {
+                    kind: "synthesis_narrative",
+                    state,
+                    bundle,
+                };
+            }
+            // Narrative disabled: fall through so the deterministic omit runs below.
+        }
         if (decision.selected_executor === "agent") {
             return {
                 kind: "semantic_review",
@@ -682,6 +824,9 @@ async function runDeterministicForNextStep(params) {
             result = await runAuditStep({
                 root: params.root,
                 artifactsDir: params.artifactsDir,
+                analyzers,
+                graphLlmEdgeReasoning: params.graphLlmEdgeReasoning,
+                since: params.since,
                 opentoken: params.opentoken,
             });
         }
@@ -734,6 +879,89 @@ async function runDeterministicForNextStep(params) {
         reason: `Reached max run limit (${params.maxRuns}) before a review, report, or blocker step was ready.`,
     };
 }
+// Renders the actionable semantic-review step (packet dispatch or single-task
+// fallback) and writes steps/current-step.json. Shared by next-step and
+// run-to-completion so the backend produces the actionable step itself rather
+// than handing the host a second command. Host dispatch capability is resolved
+// by the caller (flag -> session config -> env -> default true) and is never
+// required from the host to make progress.
+async function renderSemanticReviewStep(params) {
+    const { root, artifactsDir, activeReviewRun } = params;
+    if (!params.hostCanDispatch) {
+        const singleTaskPromptPath = join(artifactsDir, "dispatch", "current-single-task-prompt.md");
+        const workerCommand = renderCommand(activeReviewRun.worker_command);
+        return writeCurrentStep({
+            artifactsDir,
+            stepKind: "single_task_fallback",
+            status: "ready",
+            runId: activeReviewRun.run_id,
+            allowedCommands: [workerCommand],
+            stopCondition: "Run the exact worker_command after one result, then stop without looping.",
+            repoRoot: root,
+            artifactPaths: {
+                active_review_task: activeReviewRun.task_path,
+                active_review_prompt: activeReviewRun.prompt_path,
+                pending_audit_tasks: activeReviewRun.pending_audit_tasks_path ?? null,
+                audit_results: activeReviewRun.audit_results_path,
+                single_task_prompt: singleTaskPromptPath,
+            },
+            prompt: renderSingleTaskFallbackStepPrompt({
+                singleTaskPromptPath,
+                activeReviewRun,
+            }),
+            access: {
+                read_paths: [singleTaskPromptPath],
+                write_paths: [activeReviewRun.audit_results_path],
+            },
+        });
+    }
+    const dispatch = await prepareDispatchArtifacts({
+        packageRoot,
+        runId: activeReviewRun.run_id,
+        artifactsDir,
+        root,
+        hostActiveSubagentLimit: params.hostMaxActiveSubagents,
+    });
+    const mergeCommand = mergeAndIngestCommand(artifactsDir, activeReviewRun.run_id);
+    const continueCommand = nextStepCommand(root, artifactsDir);
+    return writeCurrentStep({
+        artifactsDir,
+        stepKind: "dispatch_review",
+        status: "ready",
+        runId: activeReviewRun.run_id,
+        allowedCommands: [
+            "auditor_merge_and_ingest",
+            "auditor_continue_audit",
+            mergeCommand,
+            continueCommand,
+        ],
+        stopCondition: "Dispatch every packet, run merge-and-ingest once, then run next-step.",
+        repoRoot: root,
+        artifactPaths: {
+            dispatch_plan: dispatch.dispatch_plan_path,
+            dispatch_quota: dispatch.dispatch_quota_path,
+            dispatch_warnings: dispatch.dispatch_warnings_path,
+            active_review_task: activeReviewRun.task_path,
+            pending_audit_tasks: activeReviewRun.pending_audit_tasks_path ?? null,
+        },
+        prompt: renderDispatchReviewPrompt({
+            root,
+            artifactsDir,
+            activeReviewRun,
+            dispatchPlanPath: dispatch.dispatch_plan_path,
+            dispatchQuotaPath: dispatch.dispatch_quota_path,
+            hostCanRestrictSubagentTools: params.hostCanRestrictSubagentTools,
+            hostCanSelectSubagentModel: params.hostCanSelectSubagentModel,
+        }),
+        access: {
+            read_paths: [
+                dispatch.dispatch_plan_path,
+                ...(dispatch.dispatch_quota_path ? [dispatch.dispatch_quota_path] : []),
+            ],
+            write_paths: [],
+        },
+    });
+}
 async function cmdNextStep(argv) {
     const root = getRootDir(argv);
     warnIfNotGitRepo(root);
@@ -783,6 +1011,10 @@ async function cmdNextStep(argv) {
         timeoutMs: getTimeoutMs(argv, sessionConfig),
         maxRuns: getMaxRuns(argv),
         opentoken: sessionConfig.opentoken?.enabled,
+        narrativeEnabled: sessionConfig.synthesis?.narrative !== false,
+        analyzers: sessionConfig.analyzers,
+        graphLlmEdgeReasoning: sessionConfig.graph?.llm_edge_reasoning,
+        since: getFlag(argv, "--since"),
     });
     if (result.kind === "complete") {
         const step = await writeCurrentStep({
@@ -850,81 +1082,138 @@ async function cmdNextStep(argv) {
         console.log(JSON.stringify(step, null, 2));
         return;
     }
-    if (!hostCanDispatch) {
-        const singleTaskPromptPath = join(artifactsDir, "dispatch", "current-single-task-prompt.md");
-        const workerCommand = renderCommand(result.activeReviewRun.worker_command);
+    if (result.kind === "analyzer_install") {
+        const decisionsPath = join(artifactsDir, "incoming", "analyzer-decisions.json");
+        await mkdir(join(artifactsDir, "incoming"), { recursive: true });
+        const continueCommand = nextStepCommand(root, artifactsDir);
         const step = await writeCurrentStep({
             artifactsDir,
-            stepKind: "single_task_fallback",
+            stepKind: "analyzer_install",
             status: "ready",
-            runId: result.activeReviewRun.run_id,
-            allowedCommands: [workerCommand],
-            stopCondition: "Run the exact worker_command after one result, then stop without looping.",
+            runId: null,
+            allowedCommands: [continueCommand],
+            stopCondition: "Write analyzer install decisions to the results path, then run next-step.",
             repoRoot: root,
             artifactPaths: {
-                active_review_task: result.activeReviewRun.task_path,
-                active_review_prompt: result.activeReviewRun.prompt_path,
-                pending_audit_tasks: result.activeReviewRun.pending_audit_tasks_path ?? null,
-                audit_results: result.activeReviewRun.audit_results_path,
-                single_task_prompt: singleTaskPromptPath,
+                analyzer_decisions: decisionsPath,
             },
-            prompt: renderSingleTaskFallbackStepPrompt({
-                singleTaskPromptPath,
-                activeReviewRun: result.activeReviewRun,
+            prompt: renderAnalyzerInstallPrompt({
+                unresolved: result.unresolved,
+                decisionsPath,
+                continueCommand,
+            }),
+        });
+        console.log(JSON.stringify(step, null, 2));
+        return;
+    }
+    if (result.kind === "edge_reasoning") {
+        await mkdir(join(artifactsDir, "incoming"), { recursive: true });
+        const edgeReasoningResultsPath = join(artifactsDir, "incoming", "edge-reasoning.json");
+        const continueCommand = nextStepCommand(root, artifactsDir);
+        const basePrompt = buildEdgeReasoningPrompt(result.candidates);
+        const contentHash = edgeReasoningContentHash(result.candidates);
+        if (hostCanDispatch) {
+            // Dispatch path: isolate the (potentially large) edge-list prompt in a file
+            // and have the host fan it out to one subagent, mirroring the packet review
+            // dispatch contract. The subagent writes the rewrites file; next-step applies.
+            const edgeReasoningPromptPath = join(artifactsDir, "incoming", "edge-reasoning-prompt.md");
+            await writeFile(edgeReasoningPromptPath, basePrompt, "utf8");
+            const step = await writeCurrentStep({
+                artifactsDir,
+                stepKind: "edge_reasoning_dispatch",
+                status: "ready",
+                runId: null,
+                allowedCommands: [continueCommand],
+                stopCondition: "Dispatch one subagent to write the edge-reasoning rewrites, then run next-step.",
+                repoRoot: root,
+                artifactPaths: {
+                    edge_reasoning_prompt: edgeReasoningPromptPath,
+                    edge_reasoning_results: edgeReasoningResultsPath,
+                },
+                prompt: renderEdgeReasoningDispatchPrompt({
+                    promptPath: edgeReasoningPromptPath,
+                    resultsPath: edgeReasoningResultsPath,
+                    continueCommand,
+                    contentHash,
+                    candidateCount: result.candidates.length,
+                }),
+                access: {
+                    read_paths: [edgeReasoningPromptPath],
+                    write_paths: [edgeReasoningResultsPath],
+                },
+            });
+            console.log(JSON.stringify(step, null, 2));
+            return;
+        }
+        // One-step fallback (no callable subagent facility): the host produces the
+        // rewrites itself in a single bounded turn, mirroring the narrative step.
+        const step = await writeCurrentStep({
+            artifactsDir,
+            stepKind: "edge_reasoning",
+            status: "ready",
+            runId: null,
+            allowedCommands: [continueCommand],
+            stopCondition: "Write the edge-reasoning rewrites to the results path, then run next-step.",
+            repoRoot: root,
+            artifactPaths: {
+                edge_reasoning_results: edgeReasoningResultsPath,
+            },
+            prompt: renderEdgeReasoningStepPrompt({
+                basePrompt,
+                resultsPath: edgeReasoningResultsPath,
+                continueCommand,
+                contentHash,
             }),
             access: {
-                read_paths: [singleTaskPromptPath],
-                write_paths: [result.activeReviewRun.audit_results_path],
+                read_paths: [],
+                write_paths: [edgeReasoningResultsPath],
             },
         });
         console.log(JSON.stringify(step, null, 2));
         return;
     }
-    const dispatch = await prepareDispatchArtifacts({
-        packageRoot,
-        runId: result.activeReviewRun.run_id,
-        artifactsDir,
+    if (result.kind === "synthesis_narrative") {
+        const narrativeResultsPath = join(artifactsDir, "incoming", "synthesis-narrative.json");
+        await mkdir(join(artifactsDir, "incoming"), { recursive: true });
+        const continueCommand = nextStepCommand(root, artifactsDir);
+        const basePrompt = result.bundle.audit_findings
+            ? renderSynthesisNarrativePrompt(result.bundle.audit_findings)
+            : "# Synthesis narrative\n\nNo findings report is available; write an empty themes array.";
+        const fullPrompt = [
+            basePrompt,
+            "## Results path",
+            "",
+            "Write the SynthesisNarrative JSON object to:",
+            "",
+            `  ${narrativeResultsPath}`,
+            "",
+            `Then run: ${continueCommand}`,
+            "",
+        ].join("\n");
+        const step = await writeCurrentStep({
+            artifactsDir,
+            stepKind: "synthesis_narrative",
+            status: "ready",
+            runId: null,
+            allowedCommands: [continueCommand],
+            stopCondition: "Write the synthesis narrative to the results path, then run next-step.",
+            repoRoot: root,
+            artifactPaths: {
+                synthesis_narrative_results: narrativeResultsPath,
+            },
+            prompt: fullPrompt,
+        });
+        console.log(JSON.stringify(step, null, 2));
+        return;
+    }
+    const step = await renderSemanticReviewStep({
         root,
-        hostActiveSubagentLimit: hostMaxActiveSubagents,
-    });
-    const mergeCommand = mergeAndIngestCommand(artifactsDir, result.activeReviewRun.run_id);
-    const continueCommand = nextStepCommand(root, artifactsDir);
-    const step = await writeCurrentStep({
         artifactsDir,
-        stepKind: "dispatch_review",
-        status: "ready",
-        runId: result.activeReviewRun.run_id,
-        allowedCommands: [
-            "auditor_merge_and_ingest",
-            "auditor_continue_audit",
-            mergeCommand,
-            continueCommand,
-        ],
-        stopCondition: "Dispatch every packet, run merge-and-ingest once, then run next-step.",
-        repoRoot: root,
-        artifactPaths: {
-            dispatch_plan: dispatch.dispatch_plan_path,
-            dispatch_quota: dispatch.dispatch_quota_path,
-            dispatch_warnings: dispatch.dispatch_warnings_path,
-            active_review_task: result.activeReviewRun.task_path,
-            pending_audit_tasks: result.activeReviewRun.pending_audit_tasks_path ?? null,
-        },
-        prompt: renderDispatchReviewPrompt({
-            root,
-            artifactsDir,
-            activeReviewRun: result.activeReviewRun,
-            dispatchPlanPath: dispatch.dispatch_plan_path,
-            dispatchQuotaPath: dispatch.dispatch_quota_path,
-            hostCanRestrictSubagentTools,
-            hostCanSelectSubagentModel,
-        }),
-        access: {
-            read_paths: [
-                dispatch.dispatch_plan_path,
-                ...(dispatch.dispatch_quota_path ? [dispatch.dispatch_quota_path] : []),
-            ],
-            write_paths: [],
-        },
+        activeReviewRun: result.activeReviewRun,
+        hostCanDispatch,
+        hostMaxActiveSubagents,
+        hostCanRestrictSubagentTools,
+        hostCanSelectSubagentModel,
     });
     console.log(JSON.stringify(step, null, 2));
 }
@@ -1092,6 +1381,37 @@ async function cmdRunToCompletion(argv) {
             const blockPrompt = renderWorkerPrompt(blockTask);
             await writeWorkerTaskFiles(blockTask, blockPrompt, blockPaths, artifactsDir, blockPendingTasks);
             await writeJsonFile(blockPendingTasksPath, blockPendingTasks);
+            const reviewRun = {
+                run_id: blockRunId,
+                task_path: blockPaths.taskPath,
+                prompt_path: blockPaths.promptPath,
+                pending_audit_tasks_path: blockPendingTasksPath,
+                audit_results_path: blockAuditResultsPath,
+                worker_command: blockTask.worker_command,
+            };
+            // Render the actionable dispatch / single-task step here instead of
+            // leaving the host to issue next-step as a second command. Capability is
+            // resolved from flags/config/env with a sane default, so nothing is
+            // required from the host to make progress. If rendering fails we still
+            // emit the hand-off below — run-to-completion is never worse than before,
+            // and next-step will re-render and surface the error loudly.
+            try {
+                await renderSemanticReviewStep({
+                    root,
+                    artifactsDir,
+                    activeReviewRun: reviewRun,
+                    hostCanDispatch: resolveHostDispatchCapability({
+                        explicit: getOptionalBooleanFlag(argv, "--host-can-dispatch-subagents"),
+                        sessionConfig,
+                    }),
+                    hostMaxActiveSubagents: getHostMaxActiveSubagents(argv),
+                    hostCanRestrictSubagentTools: getOptionalBooleanFlag(argv, "--host-can-restrict-subagent-tools") ?? false,
+                    hostCanSelectSubagentModel: getOptionalBooleanFlag(argv, "--host-can-select-subagent-model") ?? false,
+                });
+            }
+            catch (stepError) {
+                process.stderr.write(`[audit-code] Could not pre-render the review step; the operator hand-off points to next-step instead. ${stepError instanceof Error ? stepError.message : String(stepError)}\n`);
+            }
             await emitEnvelope({
                 root,
                 artifactsDir,
@@ -1107,14 +1427,7 @@ async function cmdRunToCompletion(argv) {
                 progress_summary: blocker,
                 next_likely_step: null,
                 providerName: provider.name,
-                activeReviewRun: {
-                    run_id: blockRunId,
-                    task_path: blockPaths.taskPath,
-                    prompt_path: blockPaths.promptPath,
-                    pending_audit_tasks_path: blockPendingTasksPath,
-                    audit_results_path: blockAuditResultsPath,
-                    worker_command: blockTask.worker_command,
-                },
+                activeReviewRun: reviewRun,
             });
             return;
         }
@@ -1151,7 +1464,8 @@ async function cmdRunToCompletion(argv) {
             const quotaStateEntry = quotaState.entries[providerModelKey] ?? null;
             const allCandidateTasks = buildPendingAuditTasks(bundle);
             const candidateGroups = chunkArray(allCandidateTasks.slice(0, parallelWorkers * agentBatchSize), agentBatchSize);
-            const slotTokenEstimates = candidateGroups.map((g) => estimateTaskGroupTokens(g));
+            const candidateSizeIndex = sizeIndexFromManifest(bundle.repo_manifest);
+            const slotTokenEstimates = candidateGroups.map((g) => estimateTaskGroupTokens(g, candidateSizeIndex));
             const providerLimits = await provider.queryLimits?.(hostModel)
                 .then((r) => r ? { ...r, source: "provider_query" } : null)
                 .catch(() => null)
@@ -1457,6 +1771,8 @@ async function cmdRunToCompletion(argv) {
                     auditResultsPath,
                     runtimeUpdatesPath,
                     externalAnalyzerPath,
+                    analyzers: sessionConfig.analyzers,
+                    since: getFlag(argv, "--since"),
                 });
                 workerResult = {
                     contract_version: WORKER_RESULT_CONTRACT_VERSION,
@@ -2290,7 +2606,11 @@ async function cmdIntake(argv) {
 }
 async function cmdPlan(argv) {
     const artifactsDir = getArtifactsDir(argv);
-    const result = await runAuditStep({ root: getRootDir(argv), artifactsDir });
+    const result = await runAuditStep({
+        root: getRootDir(argv),
+        artifactsDir,
+        since: getFlag(argv, "--since"),
+    });
     console.log(JSON.stringify({
         artifacts_dir: artifactsDir,
         selected_executor: result.selected_executor,

package/dist/extractors/analyzers/css.d.ts

@@ -0,0 +1,2 @@
+import type { LanguageAnalyzer } from "./types.js";
+export declare const cssAnalyzer: LanguageAnalyzer;