auditor-lambda 0.3.6 → 0.3.7

package/dist/cli.js

@@ -1504,6 +1504,9 @@ function buildDispatchModelHint(complexity) {
     if (complexity.tags.some((tag) => tag === "external_analyzer_signal" || tag.startsWith("external_tool:"))) {
         deepReasons.push("external_analyzer_signal");
     }
+    if (complexity.tags.includes("lens_verification")) {
+        deepReasons.push("lens_verification");
+    }
     if (deepReasons.length > 0) {
         return { tier: "deep", reasons: deepReasons };
     }
@@ -1680,15 +1683,31 @@ async function cmdPrepareDispatch(argv) {
                 : [];
         const taskSections = packetTasks.flatMap((task) => {
             const lensDef = lensDefs[task.lens];
+            const inputLines = task.inputs
+                ? Object.entries(task.inputs)
+                    .sort(([a], [b]) => a.localeCompare(b))
+                    .map(([key, value]) => `input.${key}: ${value}`)
+                : [];
+            const isLensVerification = task.tags?.includes("lens_verification") ?? false;
             return [
                 `### ${task.task_id}`,
                 `unit_id: ${task.unit_id}`,
                 `pass_id: ${task.pass_id}`,
                 `lens: ${task.lens}`,
+                ...(task.tags?.length ? [`tags: ${task.tags.join(", ")}`] : []),
+                ...inputLines,
                 `rationale: ${task.rationale}`,
                 "",
                 `Lens guidance: ${lensDef?.description ?? task.lens}`,
                 `Do NOT report: ${lensDef?.do_not_report ?? "N/A"}`,
+                ...(isLensVerification
+                    ? [
+                        "",
+                        "Lens verification mode: review the prior result summary in the rationale and use only targeted source checks.",
+                        "Do not redo every packet and do not write direct findings for this task.",
+                        "Return findings: [] plus verification metadata. Include followup_tasks only for bounded, specific re-review packets.",
+                    ]
+                    : []),
                 "",
             ];
         });
@@ -1735,6 +1754,13 @@ async function cmdPrepareDispatch(argv) {
             "  file_coverage [{path, total_lines}] - one entry per assigned file; use the line counts listed above",
             "  findings      [] or array of finding objects",
             "",
+            "Lens verification tasks:",
+            "  tasks tagged lens_verification must use findings: [] and include verification:",
+            "  {verified: boolean, needs_followup: boolean, concerns?: string[],",
+            "   coverage_concerns?: string[], confidence_concerns?: string[],",
+            "   followup_tasks?: AuditTask[]}.",
+            "  Follow-up AuditTask suggestions must stay bounded to files in this packet and use the same lens.",
+            "",
             "Each finding object:",
             "  id            unique ID, e.g. \"COR-001\"",
             "  title         short title",

package/dist/io/runArtifacts.js

@@ -93,13 +93,13 @@ export async function writeDispatchBatchFiles(artifactsDir, runs, currentTasks)
         "",
         `This batch launched ${runs.length} deferred review run(s).`,
         "Each run keeps its own task.json, prompt.md, result.json, and status.json under .audit-artifacts/runs/<run_id>/.",
-        "Use current-tasks.json for the combined task list, then inspect the per-run files below when you need exact prompts or result paths.",
+        "Use current-tasks.json for the combined task list. The per-run files below are operational references for launched workers; do not read per-run prompt or schema files unless debugging a failed dispatch.",
         "",
         "Runs:",
         ...runs.flatMap((run) => [
             `- ${run.run_id}`,
             `  task: ${run.task_path}`,
-            `  prompt: ${run.prompt_path}`,
+            `  prompt (worker-owned; do not read during normal orchestration): ${run.prompt_path}`,
             `  result: ${run.result_path}`,
             `  status: ${run.status_path}`,
             ...(run.audit_results_path

package/dist/orchestrator/internalExecutors.js

@@ -32,6 +32,7 @@ function appendSelectiveDeepeningTasks(params) {
         lineIndex,
         runtimeValidationTasks: params.bundle.runtime_validation_tasks,
         runtimeValidationReport: params.runtimeValidationReport ?? params.bundle.runtime_validation_report,
+        externalAnalyzerResults: params.bundle.external_analyzer_results,
     });
     if (selectiveDeepeningTasks.length === 0) {
         return { bundle: params.bundle, taskCount: 0, artifacts: [] };

package/dist/orchestrator/selectiveDeepening.d.ts

@@ -1,4 +1,5 @@
 import type { AuditResult, AuditTask } from "../types.js";
+import type { ExternalAnalyzerResults } from "../types/externalAnalyzer.js";
 import type { RuntimeValidationReport, RuntimeValidationTaskManifest } from "../types/runtimeValidation.js";
 export interface BuildSelectiveDeepeningTaskOptions {
     existingTasks?: AuditTask[];
@@ -6,9 +7,12 @@ export interface BuildSelectiveDeepeningTaskOptions {
     lineIndex?: Record<string, number>;
     runtimeValidationTasks?: RuntimeValidationTaskManifest;
     runtimeValidationReport?: RuntimeValidationReport;
+    externalAnalyzerResults?: ExternalAnalyzerResults;
     maxTasks?: number;
 }
 export declare function buildSelectiveDeepeningTasks(options: BuildSelectiveDeepeningTaskOptions): AuditTask[];
 export declare const selectiveDeepeningTestUtils: {
     DEEPENING_TAG: string;
+    LENS_VERIFICATION_TAG: string;
+    LENS_VERIFICATION_FOLLOWUP_TAG: string;
 };

package/dist/orchestrator/selectiveDeepening.js

@@ -1,6 +1,16 @@
 import { createHash } from "node:crypto";
 const DEFAULT_MAX_DEEPENING_TASKS = 6;
 const DEEPENING_TAG = "selective_deepening";
+const LENS_VERIFICATION_TAG = "lens_verification";
+const LENS_VERIFICATION_FOLLOWUP_TAG = "lens_verification_followup";
+const MAX_LENS_VERIFICATION_FILES = 12;
+const MAX_LENS_VERIFICATION_RESULT_SUMMARIES = 12;
+const MAX_VERIFICATION_FOLLOWUP_TASKS_PER_RESULT = 4;
+const IMPORTANT_LENS_VERIFICATION_LENSES = new Set([
+    "security",
+    "data_integrity",
+    "reliability",
+]);
 const SEVERITY_RANK = {
     critical: 5,
     high: 4,
@@ -27,6 +37,9 @@ function priorityRank(priority) {
 function isDeepeningTask(task) {
     return task?.tags?.includes(DEEPENING_TAG) ?? false;
 }
+function isLensVerificationTask(task) {
+    return task?.tags?.includes(LENS_VERIFICATION_TAG) ?? false;
+}
 function sanitizeSegment(value) {
     const sanitized = value
         .replace(/[^a-zA-Z0-9_-]+/g, "-")
@@ -85,6 +98,29 @@ function lineCountFromSources(path, tasks, results, lineIndex) {
     }
     return lineIndex?.[path] ?? 0;
 }
+function formatList(values, maxItems) {
+    const visible = values.slice(0, maxItems);
+    const suffix = values.length > maxItems ? `, ... (+${values.length - maxItems} more)` : "";
+    return `${visible.join(", ")}${suffix}`;
+}
+function priorityLabel(priority) {
+    return priority ?? "low";
+}
+function getExternalAnalyzerPaths(externalAnalyzerResults) {
+    return new Set((externalAnalyzerResults?.results ?? [])
+        .map((result) => result && typeof result.path === "string" && result.path.length > 0
+        ? result.path
+        : null)
+        .filter((path) => path !== null));
+}
+function isRecord(value) {
+    return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+function normalizedSuggestedPriority(value, fallback = "medium") {
+    return value === "high" || value === "medium" || value === "low"
+        ? value
+        : fallback;
+}
 function buildFindingFollowupTask(params) {
     const paths = pathsForFinding(params.finding, params.result, params.task);
     const triggerLabel = params.triggers.join("+");
@@ -261,6 +297,309 @@ function buildRuntimeValidationFollowupTask(params) {
         status: "pending",
     };
 }
+function sourceTaskIds(sources) {
+    return uniqueSorted(sources.map((source) => source.result.task_id));
+}
+function resultFiles(source) {
+    return uniqueSorted(source.task?.file_paths && source.task.file_paths.length > 0
+        ? source.task.file_paths
+        : source.result.file_coverage.map((coverage) => coverage.path));
+}
+function lensVerificationTriggers(params) {
+    const filePaths = uniqueSorted(params.sources.flatMap(resultFiles));
+    const findingPaths = new Set(params.sources.flatMap((source) => source.result.findings.flatMap((finding) => finding.affected_files.map((file) => file.path))));
+    const externalPathsInScope = filePaths.filter((path) => params.externalAnalyzerPaths.has(path));
+    const unresolvedExternalPaths = externalPathsInScope.filter((path) => !findingPaths.has(path));
+    const cleanResults = params.sources.filter((source) => source.result.findings.length === 0 &&
+        source.result.requires_followup !== false);
+    const highRiskCleanResults = params.sources.filter((source) => isHighRiskCleanResult(source.result, source.task));
+    const totalLines = filePaths.reduce((sum, path) => {
+        const owner = params.sources.find((source) => resultFiles(source).includes(path));
+        return (sum +
+            (owner
+                ? lineCountForPath(path, owner.task, owner.result)
+                : 0));
+    }, 0);
+    const triggers = [];
+    if (params.sources.some((source) => source.task?.priority === "high")) {
+        triggers.push("high_priority_lens");
+    }
+    if (params.sources.some((source) => source.task?.tags?.some((tag) => tag === "critical_flow" || tag.startsWith("critical_flow:")))) {
+        triggers.push("critical_flow");
+    }
+    if (params.sources.some((source) => source.task?.tags?.some((tag) => tag === "external_analyzer_signal" ||
+        tag.startsWith("external_tool:"))) ||
+        externalPathsInScope.length > 0) {
+        triggers.push("external_analyzer_signal");
+    }
+    if (unresolvedExternalPaths.length > 0) {
+        triggers.push("unresolved_external_signal");
+    }
+    if (params.sources.length >= 3 ||
+        filePaths.length >= 4 ||
+        totalLines >= 2000) {
+        triggers.push("large_lens_surface");
+    }
+    if (cleanResults.length >= 2 && cleanResults.length >= params.sources.length / 2) {
+        triggers.push("many_no_finding_results");
+    }
+    if (highRiskCleanResults.length > 0) {
+        triggers.push("high_risk_clean_result");
+    }
+    if (params.sources.some((source) => source.task?.tags?.some((tag) => tag === "large_file"))) {
+        triggers.push("large_file_reviewed");
+    }
+    return uniqueSorted(triggers);
+}
+function hasPendingBaseTaskForLens(lens, tasks, completedResultIds) {
+    return tasks.some((task) => task.lens === lens &&
+        !isDeepeningTask(task) &&
+        !completedResultIds.has(task.task_id) &&
+        task.status !== "complete");
+}
+function shouldBuildLensVerificationTask(params) {
+    if (!IMPORTANT_LENS_VERIFICATION_LENSES.has(params.lens)) {
+        return false;
+    }
+    if (params.sources.length === 0 || params.triggers.length === 0) {
+        return false;
+    }
+    const explicitlyClosedCleanScope = params.sources.every((source) => source.result.findings.length === 0 &&
+        source.result.requires_followup === false);
+    if (explicitlyClosedCleanScope &&
+        !params.triggers.some((trigger) => ["external_analyzer_signal", "unresolved_external_signal"].includes(trigger))) {
+        return false;
+    }
+    if (hasPendingBaseTaskForLens(params.lens, params.existingTasks, params.completedResultIds)) {
+        return false;
+    }
+    const enoughSurface = params.sources.length >= 2 ||
+        params.triggers.some((trigger) => [
+            "critical_flow",
+            "external_analyzer_signal",
+            "unresolved_external_signal",
+            "large_lens_surface",
+        ].includes(trigger));
+    if (!enoughSurface) {
+        return false;
+    }
+    const sourceSignature = sourceTaskIds(params.sources);
+    const candidateId = taskIdFor("steward", [params.lens, ...sourceSignature]);
+    return !params.existingTasks.some((task) => task.task_id === candidateId);
+}
+function selectLensVerificationFiles(sources, externalAnalyzerPaths) {
+    const scores = new Map();
+    function add(path, score, lines) {
+        const current = scores.get(path) ?? { score: 0, lines };
+        current.score += score;
+        current.lines = Math.max(current.lines, lines);
+        scores.set(path, current);
+    }
+    for (const source of sources) {
+        const priorityScore = priorityRank(source.task?.priority);
+        const highRiskClean = isHighRiskCleanResult(source.result, source.task);
+        for (const path of resultFiles(source)) {
+            add(path, priorityScore, lineCountForPath(path, source.task, source.result));
+            if (source.task?.tags?.includes("critical_flow"))
+                add(path, 6, 0);
+            if (source.task?.tags?.includes("external_analyzer_signal"))
+                add(path, 6, 0);
+            if (source.task?.tags?.includes("large_file"))
+                add(path, 4, 0);
+            if (highRiskClean)
+                add(path, 5, 0);
+        }
+        for (const finding of source.result.findings) {
+            for (const file of finding.affected_files) {
+                add(file.path, SEVERITY_RANK[finding.severity], 0);
+            }
+        }
+    }
+    for (const path of externalAnalyzerPaths) {
+        if (scores.has(path)) {
+            add(path, 8, 0);
+        }
+    }
+    return [...scores.entries()]
+        .sort((a, b) => {
+        const scoreDelta = b[1].score - a[1].score;
+        if (scoreDelta !== 0)
+            return scoreDelta;
+        const lineDelta = b[1].lines - a[1].lines;
+        if (lineDelta !== 0)
+            return lineDelta;
+        return a[0].localeCompare(b[0]);
+    })
+        .slice(0, MAX_LENS_VERIFICATION_FILES)
+        .map(([path]) => path);
+}
+function summarizeLensVerificationSource(source) {
+    const findings = source.result.findings.length === 0
+        ? "findings=none"
+        : `findings=${source.result.findings
+            .slice(0, 3)
+            .map((finding) => `${finding.id} ${finding.severity}/${finding.confidence} ${finding.category}: ${finding.title}`)
+            .join("; ")}${source.result.findings.length > 3 ? "; ..." : ""}`;
+    const tags = source.task?.tags?.length
+        ? ` tags=${source.task.tags.join(",")}`
+        : "";
+    return (`- ${source.result.task_id} priority=${priorityLabel(source.task?.priority)}` +
+        `${tags} files=${formatList(resultFiles(source), 4)} ${findings}` +
+        (source.result.requires_followup === true ? " requires_followup=true" : ""));
+}
+function buildLensVerificationTask(params) {
+    const sourceIds = sourceTaskIds(params.sources);
+    const selectedPaths = selectLensVerificationFiles(params.sources, params.externalAnalyzerPaths);
+    const allPaths = uniqueSorted(params.sources.flatMap(resultFiles));
+    const omittedPathCount = Math.max(0, allPaths.length - selectedPaths.length);
+    const externalPathsInScope = allPaths.filter((path) => params.externalAnalyzerPaths.has(path));
+    const summaries = params.sources
+        .sort((a, b) => a.result.task_id.localeCompare(b.result.task_id))
+        .slice(0, MAX_LENS_VERIFICATION_RESULT_SUMMARIES)
+        .map(summarizeLensVerificationSource);
+    return {
+        task_id: taskIdFor("steward", [params.lens, ...sourceIds]),
+        unit_id: `lens-steward:${params.lens}`,
+        pass_id: `lens-steward:${params.lens}`,
+        lens: params.lens,
+        file_paths: selectedPaths,
+        file_line_counts: Object.fromEntries(selectedPaths.map((path) => [
+            path,
+            lineCountFromSources(path, params.sources.map((source) => source.task).filter((task) => task !== undefined), params.sources.map((source) => source.result), params.lineIndex),
+        ])),
+        inputs: {
+            source_task_ids: sourceIds.join(","),
+            trigger_summary: params.triggers.join(","),
+        },
+        rationale: `Lens steward verification for ${params.lens} after ${params.sources.length} completed base result(s) across ${allPaths.length} file(s). ` +
+            `Triggers: ${params.triggers.join(", ")}. ` +
+            "Review whether high-risk packets are suspiciously clean, severity/confidence levels are consistent, external analyzer signals were resolved rather than hand-waved, cross-packet issues are visible, no-finding conclusions are believable, and related-file findings contradict each other. " +
+            "Do not write direct findings from this verification task; return findings: [] plus verification metadata with bounded follow-up AuditTask suggestions when needed.\n" +
+            `Selected verification files: ${formatList(selectedPaths, 8)}${omittedPathCount > 0 ? `; omitted ${omittedPathCount} lower-priority file(s) from direct source checks` : ""}.\n` +
+            (externalPathsInScope.length > 0
+                ? `External analyzer paths in scope: ${formatList(externalPathsInScope, 8)}.\n`
+                : "") +
+            "Source result summary:\n" +
+            summaries.join("\n") +
+            (params.sources.length > MAX_LENS_VERIFICATION_RESULT_SUMMARIES
+                ? `\n- ... (+${params.sources.length - MAX_LENS_VERIFICATION_RESULT_SUMMARIES} more result summaries omitted)`
+                : ""),
+        priority: "high",
+        tags: [
+            DEEPENING_TAG,
+            LENS_VERIFICATION_TAG,
+            `lens:${params.lens}`,
+            ...params.triggers.map((trigger) => `trigger:${trigger}`),
+        ],
+        status: "pending",
+    };
+}
+function buildLensVerificationTasks(params) {
+    const taskById = new Map(params.existingTasks.map((task) => [task.task_id, task]));
+    const completedResultIds = new Set(params.results.map((result) => result.task_id));
+    const externalAnalyzerPaths = getExternalAnalyzerPaths(params.externalAnalyzerResults);
+    const tasks = [];
+    for (const lens of [...IMPORTANT_LENS_VERIFICATION_LENSES].sort((a, b) => a.localeCompare(b))) {
+        const sources = params.results
+            .map((result) => ({ result, task: taskById.get(result.task_id) }))
+            .filter((source) => source.result.lens === lens &&
+            !isDeepeningTask(source.task) &&
+            !isLensVerificationTask(source.task));
+        const triggers = lensVerificationTriggers({
+            lens,
+            sources,
+            externalAnalyzerPaths,
+        });
+        if (!shouldBuildLensVerificationTask({
+            lens,
+            sources,
+            triggers,
+            existingTasks: params.existingTasks,
+            completedResultIds,
+        })) {
+            continue;
+        }
+        tasks.push(buildLensVerificationTask({
+            lens,
+            sources,
+            triggers,
+            externalAnalyzerPaths,
+            lineIndex: params.lineIndex,
+        }));
+    }
+    return tasks;
+}
+function buildVerificationFollowupTasks(params) {
+    if (!params.result.verification?.needs_followup ||
+        !Array.isArray(params.result.verification.followup_tasks) ||
+        !isLensVerificationTask(params.task)) {
+        return [];
+    }
+    const coverageByPath = new Map(params.result.file_coverage.map((coverage) => [
+        coverage.path,
+        coverage.total_lines,
+    ]));
+    const concerns = [
+        ...(params.result.verification.concerns ?? []),
+        ...(params.result.verification.coverage_concerns ?? []),
+        ...(params.result.verification.confidence_concerns ?? []),
+    ];
+    const tasks = [];
+    for (let index = 0; index < params.result.verification.followup_tasks.length; index++) {
+        if (tasks.length >= MAX_VERIFICATION_FOLLOWUP_TASKS_PER_RESULT) {
+            break;
+        }
+        const suggestion = params.result.verification.followup_tasks[index];
+        if (!isRecord(suggestion)) {
+            continue;
+        }
+        if (suggestion.lens !== params.result.lens) {
+            continue;
+        }
+        const suggestedPaths = Array.isArray(suggestion.file_paths)
+            ? suggestion.file_paths.filter((path) => typeof path === "string" && coverageByPath.has(path))
+            : [];
+        const paths = uniqueSorted(suggestedPaths);
+        if (paths.length === 0) {
+            continue;
+        }
+        const suggestedRationale = typeof suggestion.rationale === "string" && suggestion.rationale.trim().length > 0
+            ? suggestion.rationale.trim()
+            : concerns[0] ?? "Lens steward requested bounded follow-up.";
+        const suggestedId = typeof suggestion.task_id === "string" && suggestion.task_id.trim().length > 0
+            ? suggestion.task_id
+            : `suggestion-${index + 1}`;
+        tasks.push({
+            task_id: taskIdFor("steward-followup", [
+                params.result.task_id,
+                String(index),
+                suggestedId,
+                ...paths,
+                suggestedRationale,
+            ]),
+            unit_id: typeof suggestion.unit_id === "string" && suggestion.unit_id.trim().length > 0
+                ? suggestion.unit_id
+                : params.result.unit_id,
+            pass_id: `deepening:${params.result.pass_id}`,
+            lens: params.result.lens,
+            file_paths: paths,
+            file_line_counts: Object.fromEntries(paths.map((path) => [
+                path,
+                coverageByPath.get(path) ?? params.lineIndex?.[path] ?? 0,
+            ])),
+            rationale: `Lens steward follow-up from ${params.result.task_id}. ${suggestedRationale}`,
+            priority: normalizedSuggestedPriority(suggestion.priority, "medium"),
+            tags: [
+                DEEPENING_TAG,
+                LENS_VERIFICATION_FOLLOWUP_TAG,
+                "trigger:lens_verification",
+                `source_task:${sanitizeSegment(params.result.task_id)}`,
+            ],
+            status: "pending",
+        });
+    }
+    return tasks;
+}
 function findingContexts(results, taskById) {
     const contexts = [];
     for (const result of results) {
@@ -345,6 +684,16 @@ export function buildSelectiveDeepeningTasks(options) {
             lineIndex: options.lineIndex,
         }));
     }
+    for (const result of options.results) {
+        const task = taskById.get(result.task_id);
+        for (const followupTask of buildVerificationFollowupTasks({
+            result,
+            task,
+            lineIndex: options.lineIndex,
+        })) {
+            pushIfNew(followupTask);
+        }
+    }
     const runtimeTaskById = new Map((options.runtimeValidationTasks?.tasks ?? []).map((task) => [
         task.id,
         task,
@@ -369,6 +718,14 @@ export function buildSelectiveDeepeningTasks(options) {
             lineIndex: options.lineIndex,
         }));
     }
+    for (const task of buildLensVerificationTasks({
+        existingTasks,
+        results: options.results,
+        lineIndex: options.lineIndex,
+        externalAnalyzerResults: options.externalAnalyzerResults,
+    })) {
+        pushIfNew(task);
+    }
     const cleanResults = options.results
         .map((result) => ({ result, task: taskById.get(result.task_id) }))
         .filter(({ result, task }) => isHighRiskCleanResult(result, task))
@@ -389,4 +746,6 @@ export function buildSelectiveDeepeningTasks(options) {
 }
 export const selectiveDeepeningTestUtils = {
     DEEPENING_TAG,
+    LENS_VERIFICATION_TAG,
+    LENS_VERIFICATION_FOLLOWUP_TAG,
 };

package/dist/prompts/renderWorkerPrompt.js

@@ -7,13 +7,9 @@ export function renderWorkerPrompt(task) {
     if (task.preferred_executor === "agent" && task.audit_results_path) {
         const tasksPath = task.pending_audit_tasks_path ??
             `${task.artifacts_dir}/audit_tasks.json`;
-        const resultsSchemaPath = `${task.artifacts_dir}/dispatch/audit-results.schema.json`;
-        const singleResultSchemaPath = `${task.artifacts_dir}/dispatch/audit-result.schema.json`;
         const lines = [
             `Audit run: ${task.run_id}`,
             `Read: ${tasksPath}`,
-            `Array schema: ${resultsSchemaPath}`,
-            `Single-result schema: ${singleResultSchemaPath}`,
             "Scope: review only the tasks listed in the Read file. Do not add tasks,",
             "edit source files, remediate findings, run unrelated audits, or write result_path.",
             "For each listed task: read the assigned file_paths under the specified lens,",
@@ -25,6 +21,9 @@ export function renderWorkerPrompt(task) {
             "Each finding: id, title, category, severity, confidence, lens, summary,",
             "  affected_files [{path, line_start, line_end, symbol}] (objects, not strings; min 1 entry),",
             "  evidence [strings] (min 1 entry).",
+            "For tasks tagged lens_verification: do not write direct findings; use findings: []",
+            "  and include verification {verified, needs_followup, concerns, coverage_concerns,",
+            "  confidence_concerns, followup_tasks}.",
             "Constraint: line_end must not exceed total_lines for that file.",
             `Write only the JSON array of AuditResult objects to: ${task.audit_results_path}`,
         ];

package/dist/types.d.ts

@@ -88,6 +88,14 @@ export interface Finding {
     systemic?: boolean;
     related_findings?: string[];
 }
+export interface AuditVerification {
+    verified: boolean;
+    needs_followup: boolean;
+    concerns?: string[];
+    coverage_concerns?: string[];
+    confidence_concerns?: string[];
+    followup_tasks?: AuditTask[];
+}
 export interface AuditResult {
     task_id: string;
     unit_id: string;
@@ -102,4 +110,5 @@ export interface AuditResult {
     notes?: string[];
     requires_followup?: boolean;
     followup_tasks?: string[];
+    verification?: AuditVerification;
 }

package/dist/validation/auditResults.js

@@ -10,6 +10,8 @@ const REQUIRED_FINDING_FIELDS = [
 ];
 const VALID_SEVERITIES = new Set(["critical", "high", "medium", "low", "info"]);
 const VALID_CONFIDENCES = new Set(["high", "medium", "low"]);
+const VALID_PRIORITIES = new Set(["high", "medium", "low"]);
+const LENS_VERIFICATION_TAG = "lens_verification";
 const VALID_LENSES = new Set([
     "correctness",
     "architecture",
@@ -207,6 +209,161 @@ function validateFinding(finding, label, taskId, resultIndex) {
     }
     return issues;
 }
+function validateOptionalStringArray(value, label, taskId, resultIndex, issues) {
+    if (value === undefined) {
+        return;
+    }
+    if (!Array.isArray(value)) {
+        pushIssue(issues, {
+            result_index: resultIndex,
+            task_id: taskId,
+            field: label,
+            message: `${label} must be an array of strings, got ${describeValue(value)}.`,
+        });
+        return;
+    }
+    for (let index = 0; index < value.length; index++) {
+        if (typeof value[index] !== "string") {
+            pushIssue(issues, {
+                result_index: resultIndex,
+                task_id: taskId,
+                field: `${label}[${index}]`,
+                message: `${label}[${index}] must be a string, got ${describeValue(value[index])}.`,
+            });
+        }
+    }
+}
+function validateVerificationFollowupTask(task, label, taskId, resultIndex, expectedLens, allowedPaths, issues) {
+    if (!isRecord(task)) {
+        pushIssue(issues, {
+            result_index: resultIndex,
+            task_id: taskId,
+            field: label,
+            message: `${label} must be an AuditTask object, got ${describeValue(task)}.`,
+        });
+        return;
+    }
+    for (const field of ["task_id", "unit_id", "pass_id", "lens", "rationale"]) {
+        validateRequiredStringField(task[field], `${label}.${field}`, taskId, resultIndex, issues);
+    }
+    if (typeof task.lens === "string" && !VALID_LENSES.has(task.lens)) {
+        pushIssue(issues, {
+            result_index: resultIndex,
+            task_id: taskId,
+            field: `${label}.lens`,
+            message: `Invalid lens '${task.lens}'. Must be one of: ${[...VALID_LENSES].join(", ")}.`,
+        });
+    }
+    if (typeof expectedLens === "string" &&
+        typeof task.lens === "string" &&
+        task.lens !== expectedLens) {
+        pushIssue(issues, {
+            result_index: resultIndex,
+            task_id: taskId,
+            field: `${label}.lens`,
+            message: `${label}.lens must match the lens verification task ` +
+                `(expected '${expectedLens}', got '${task.lens}').`,
+        });
+    }
+    if (task.priority !== undefined &&
+        (typeof task.priority !== "string" || !VALID_PRIORITIES.has(task.priority))) {
+        pushIssue(issues, {
+            result_index: resultIndex,
+            task_id: taskId,
+            field: `${label}.priority`,
+            message: `${label}.priority must be one of: ${[...VALID_PRIORITIES].join(", ")}.`,
+        });
+    }
+    if (!Array.isArray(task.file_paths) || task.file_paths.length === 0) {
+        pushIssue(issues, {
+            result_index: resultIndex,
+            task_id: taskId,
+            field: `${label}.file_paths`,
+            message: `${label}.file_paths must be a non-empty array.`,
+        });
+    }
+    else {
+        for (let index = 0; index < task.file_paths.length; index++) {
+            const path = task.file_paths[index];
+            if (!isNonEmptyString(path)) {
+                pushIssue(issues, {
+                    result_index: resultIndex,
+                    task_id: taskId,
+                    field: `${label}.file_paths[${index}]`,
+                    message: `${label}.file_paths[${index}] must be a non-empty string.`,
+                });
+                continue;
+            }
+            if (!allowedPaths.has(path)) {
+                pushIssue(issues, {
+                    result_index: resultIndex,
+                    task_id: taskId,
+                    field: `${label}.file_paths[${index}]`,
+                    message: `${label}.file_paths[${index}] references '${path}', which is outside the verification task's file_coverage.`,
+                });
+            }
+        }
+    }
+    validateOptionalStringArray(task.tags, `${label}.tags`, taskId, resultIndex, issues);
+}
+function validateVerification(value, result, task, coverage, taskId, resultIndex, issues) {
+    if (value === undefined) {
+        return;
+    }
+    if (!isRecord(value)) {
+        pushIssue(issues, {
+            result_index: resultIndex,
+            task_id: taskId,
+            field: "verification",
+            message: `verification must be an object, got ${describeValue(value)}.`,
+        });
+        return;
+    }
+    if (typeof value.verified !== "boolean") {
+        pushIssue(issues, {
+            result_index: resultIndex,
+            task_id: taskId,
+            field: "verification.verified",
+            message: `verification.verified must be a boolean, got ${describeValue(value.verified)}.`,
+        });
+    }
+    if (typeof value.needs_followup !== "boolean") {
+        pushIssue(issues, {
+            result_index: resultIndex,
+            task_id: taskId,
+            field: "verification.needs_followup",
+            message: `verification.needs_followup must be a boolean, got ${describeValue(value.needs_followup)}.`,
+        });
+    }
+    if (task && !task.tags?.includes(LENS_VERIFICATION_TAG)) {
+        pushIssue(issues, {
+            result_index: resultIndex,
+            task_id: taskId,
+            field: "verification",
+            message: "verification is intended only for tasks tagged lens_verification.",
+            severity: "warning",
+        });
+    }
+    validateOptionalStringArray(value.concerns, "verification.concerns", taskId, resultIndex, issues);
+    validateOptionalStringArray(value.coverage_concerns, "verification.coverage_concerns", taskId, resultIndex, issues);
+    validateOptionalStringArray(value.confidence_concerns, "verification.confidence_concerns", taskId, resultIndex, issues);
+    if (value.followup_tasks === undefined) {
+        return;
+    }
+    if (!Array.isArray(value.followup_tasks)) {
+        pushIssue(issues, {
+            result_index: resultIndex,
+            task_id: taskId,
+            field: "verification.followup_tasks",
+            message: `verification.followup_tasks must be an array, got ${describeValue(value.followup_tasks)}.`,
+        });
+        return;
+    }
+    const allowedPaths = new Set(coverage.map((entry) => entry.path));
+    for (let index = 0; index < value.followup_tasks.length; index++) {
+        validateVerificationFollowupTask(value.followup_tasks[index], `verification.followup_tasks[${index}]`, taskId, resultIndex, result.lens, allowedPaths, issues);
+    }
+}
 function coversAffectedSpan(coverage, path, start, end) {
     return coverage.some((entry) => entry.path === path &&
         start > 0 &&
@@ -438,6 +595,7 @@ export function validateAuditResults(results, tasks, options = {}) {
                 }
             }
         }
+        validateVerification(result.verification, result, task, normalizedFileCoverage, taskId, i, issues);
     }
     return issues;
 }

package/docs/contract.md

@@ -31,6 +31,9 @@ Important rules:
 - each finding lens must match the assigned task lens.
 - `findings[].affected_files` must be objects, not strings.
 - `findings[].evidence` must be an array of plain strings.
+- lens steward tasks are tagged `lens_verification`; they must emit
+  `findings: []` plus `verification` metadata. Suggested `verification.followup_tasks`
+  are treated as bounded follow-up requests, not direct findings.
 
 Use `audit-code validate-results --results <file>` before ingestion to validate
 results against the active task manifest.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auditor-lambda",
-  "version": "0.3.6",
+  "version": "0.3.7",
   "private": false,
   "description": "Portable hybrid code-auditing framework for arbitrary repositories.",
   "type": "module",

package/schemas/audit_result.schema.json

@@ -14,6 +14,9 @@
   "$defs": {
     "Finding": {
       "$ref": "finding.schema.json"
+    },
+    "AuditTask": {
+      "$ref": "audit_task.schema.json"
     }
   },
   "properties": {
@@ -50,6 +53,31 @@
     "followup_tasks": {
       "type": "array",
       "items": { "type": "string" }
+    },
+    "verification": {
+      "type": "object",
+      "required": ["verified", "needs_followup"],
+      "properties": {
+        "verified": { "type": "boolean" },
+        "needs_followup": { "type": "boolean" },
+        "concerns": {
+          "type": "array",
+          "items": { "type": "string" }
+        },
+        "coverage_concerns": {
+          "type": "array",
+          "items": { "type": "string" }
+        },
+        "confidence_concerns": {
+          "type": "array",
+          "items": { "type": "string" }
+        },
+        "followup_tasks": {
+          "type": "array",
+          "items": { "$ref": "#/$defs/AuditTask" }
+        }
+      },
+      "additionalProperties": false
     }
   },
   "additionalProperties": false