auditor-lambda 0.6.11 → 0.7.0

package/audit-code-wrapper-lib.mjs

@@ -2,7 +2,7 @@ import { access, cp, mkdir, open, readFile, readdir, stat, unlink, writeFile } f
 import { constants } from 'node:fs';
 import { spawn } from 'node:child_process';
 import { createRequire } from 'node:module';
-import { dirname, join, relative, resolve } from 'node:path';
+import { dirname, isAbsolute, join, relative, resolve } from 'node:path';
 import { fileURLToPath } from 'node:url';
 
 const repoRoot = dirname(fileURLToPath(import.meta.url));
@@ -247,11 +247,54 @@ async function acquireBuildLock() {
   }
 }
 
+// Pure, testable core of the build preflight. `sharedManifestPath` is the
+// resolved path of @audit-tools/shared's package.json (or null if it could not
+// be resolved at all); `checkoutRoot` is the root this wrapper belongs to.
+export function assertWorkspaceInstalled({ checkoutRoot, sharedManifestPath }) {
+  if (!sharedManifestPath) {
+    throw new Error(
+      'Dependencies are not installed for this checkout. Run `npm install` from ' +
+        'the repository root, then retry — building from source needs node_modules ' +
+        '(including the @audit-tools/shared workspace link).',
+    );
+  }
+
+  const relToCheckout = relative(checkoutRoot, sharedManifestPath);
+  if (relToCheckout.startsWith('..') || isAbsolute(relToCheckout)) {
+    throw new Error(
+      `@audit-tools/shared resolved to ${sharedManifestPath}, outside this ` +
+        `checkout (${checkoutRoot}). node_modules was never installed here — ` +
+        'common in a fresh git worktree — so building would typecheck against ' +
+        "another checkout's stale dist and report phantom \"missing export\" " +
+        "errors. Run `npm install` from this checkout's root.",
+    );
+  }
+}
+
+// Catches the common fresh-checkout trap before `npm run build` runs: with no
+// local node_modules, Node/tsc resolve @audit-tools/shared against a different
+// checkout (e.g. the main repo when running inside a git worktree).
+async function preflightWorkspace() {
+  const requireFromHere = createRequire(import.meta.url);
+  let sharedManifestPath = null;
+  try {
+    sharedManifestPath = requireFromHere.resolve('@audit-tools/shared/package.json');
+  } catch {
+    sharedManifestPath = null;
+  }
+  assertWorkspaceInstalled({
+    checkoutRoot: resolve(repoRoot, '..', '..'),
+    sharedManifestPath,
+  });
+}
+
 async function ensureBuilt() {
   if (!(await shouldBuildDist())) {
     return;
   }
 
+  await preflightWorkspace();
+
   const lockHandle = await acquireBuildLock();
   if (!lockHandle) {
     return;

package/dist/cli/args.d.ts

@@ -35,6 +35,7 @@ export declare function summarizeLaunchExit(result: {
     error?: string;
 }): string | null;
 export declare function taskResultPath(taskResultsDir: string, taskId: string): string;
+export declare function isCanonicalResultFilename(filename: string): boolean;
 export declare function packetPromptPath(taskResultsDir: string, packetId: string): string;
 export declare function readStdinText(): Promise<string>;
 export declare function normalizePositiveInteger(value: unknown): number | undefined;

package/dist/cli/args.js

@@ -101,6 +101,14 @@ export function summarizeLaunchExit(result) {
 export function taskResultPath(taskResultsDir, taskId) {
     return join(taskResultsDir, artifactNameForId(taskId, "json"));
 }
+const CANONICAL_RESULT_FILENAME = /_[0-9a-f]{12}\.json$/i;
+// True when `filename` matches the canonical per-task result naming produced by
+// artifactNameForId (stem + "_" + 12-hex sha256 digest + ".json"). Lets
+// merge-and-ingest tell legitimate prior-round results apart from genuinely
+// stray files (e.g. packet-23-results.json) left in task-results/.
+export function isCanonicalResultFilename(filename) {
+    return CANONICAL_RESULT_FILENAME.test(filename);
+}
 export function packetPromptPath(taskResultsDir, packetId) {
     return join(taskResultsDir, artifactNameForId(packetId, "prompt.md"));
 }

package/dist/cli/dispatch.js

@@ -8,7 +8,7 @@ import { orderTasksForPacketReview, buildReviewPackets, sizeIndexFromManifest, }
 import { buildFileAnchorSummary } from "../orchestrator/fileAnchors.js";
 import { resolveFreshSessionProviderName } from "../providers/index.js";
 import { loadSessionConfig } from "../supervisor/sessionConfig.js";
-import { scheduleWave, buildProviderModelKey, readQuotaState, resolveHostActiveSubagentLimit, lookupDiscoveredLimits, mergeDiscoveredLimits, } from "../quota/index.js";
+import { scheduleWave, buildProviderModelKey, resolveHostModel, readQuotaState, resolveHostActiveSubagentLimit, lookupDiscoveredLimits, mergeDiscoveredLimits, } from "../quota/index.js";
 import { taskResultPath, packetPromptPath, artifactNameForId, toBase64Url, fromBase64Url, getFlag, } from "./args.js";
 export const LARGE_FILE_PACKET_TARGET_LINES = 2500;
 export const SMALL_MODEL_HINT_MAX_LINES = 500;
@@ -391,7 +391,9 @@ export async function prepareDispatchArtifacts(params) {
             ...taskSections,
             "## Output",
             "Do not write files directly. Do not use a Write tool, create temp files, edit source files,",
-            "remediate findings, create extra task results, or run unrelated audits.",
+            "remediate findings, run unrelated audits, or write any result file yourself (e.g.",
+            "packet-*-result.json / audit_result_*.json) — the submit-packet command below is the only",
+            "way to record results, and it writes them inside the artifacts directory for you.",
             "Produce one JSON array containing exactly one AuditResult object for each listed task.",
             "",
             "Required AuditResult fields:",
@@ -453,9 +455,18 @@ export async function prepareDispatchArtifacts(params) {
         run_id: runId,
         entries: resultMapEntries,
     });
-    const hostModel = params.hostModel ?? null;
     const perPacketTokens = plan.map((p) => p.complexity.estimated_tokens);
     const quotaProviderName = resolveFreshSessionProviderName(undefined, sessionConfig);
+    // Resolve the host model (explicit/CLI override → block_quota.host_model → env
+    // → per-provider default) so per-model quota detection engages with realistic
+    // limits instead of the conservative unknown-model floor. params.hostModel
+    // carries any caller/CLI override.
+    const hostModel = resolveHostModel({
+        providerName: quotaProviderName,
+        sessionConfig,
+        explicitModel: params.hostModel,
+        envVar: "AUDIT_CODE_HOST_MODEL",
+    });
     const quotaProviderKey = buildProviderModelKey(quotaProviderName, hostModel);
     const quotaState = await readQuotaState().catch(() => ({ version: 2, entries: {} }));
     const quotaStateEntry = quotaState.entries[quotaProviderKey] ?? null;

package/dist/cli/nextStepCommand.js

@@ -3,6 +3,7 @@ import { join, resolve } from "node:path";
 import { isFileMissingError, readJsonFile, writeJsonFile, } from "@audit-tools/shared";
 import { loadArtifactBundle, promoteFinalAuditReport, writeCoreArtifacts, AUDIT_REPORT_FILENAME, } from "../io/artifacts.js";
 import { advanceAudit } from "../orchestrator/advance.js";
+import { computeArtifactStateSignature } from "../orchestrator/artifactMetadata.js";
 import { decideNextStep } from "../orchestrator/nextStep.js";
 import { deriveAuditState } from "../orchestrator/state.js";
 import { checkFileIntegrity } from "../orchestrator/fileIntegrity.js";
@@ -25,6 +26,15 @@ import { getArtifactsDir, getFlag, getHostMaxActiveSubagents, getMaxRuns, getOpt
 async function runDeterministicForNextStep(params) {
     let lastSummary = "";
     let analyzers = params.analyzers;
+    // Finalization thrashing guard. A converging run produces a (mostly) new
+    // artifact state each iteration, so the iteration count tracks the number of
+    // distinct states closely (a few idempotent passes are normal). When
+    // iterations outrun distinct states by this tolerance, deterministic executors
+    // are revisiting states (a staleness ping-pong, e.g. runtime_validation <->
+    // synthesis) rather than progressing — stop instead of spinning to maxRuns.
+    const FINALIZATION_CYCLE_TOLERANCE = 16;
+    const seenStateSignatures = new Set();
+    const obligationTrail = [];
     for (let index = 0; index < params.maxRuns; index++) {
         const bundle = await loadArtifactBundle(params.artifactsDir);
         const decision = decideNextStep(bundle);
@@ -286,6 +296,33 @@ async function runDeterministicForNextStep(params) {
                 reason: result.progress_summary,
             };
         }
+        // Finalization cycle guard. If this iteration returned the audit to an
+        // artifact state already produced this run, the deterministic loop is
+        // thrashing (no net progress) rather than converging. The canonical outputs
+        // are already rendered, so stop and surface the cycling obligations instead
+        // of spinning to maxRuns and crashing.
+        obligationTrail.push(decision.selected_obligation ?? "unknown");
+        seenStateSignatures.add(computeArtifactStateSignature(result.updated_bundle));
+        if (index + 1 - seenStateSignatures.size >= FINALIZATION_CYCLE_TOLERANCE) {
+            const cycle = Array.from(new Set(obligationTrail.slice(-FINALIZATION_CYCLE_TOLERANCE)));
+            await writeJsonFile(join(params.artifactsDir, "steps", "deterministic-progress.json"), {
+                iteration: index + 1,
+                max_runs: params.maxRuns,
+                cycle_detected: true,
+                cycling_obligations: cycle,
+                summary: "Finalization kept revisiting prior artifact states without net " +
+                    `progress; stopping. Cycling obligations: ${cycle.join(" -> ")}.`,
+                timestamp: new Date().toISOString(),
+            });
+            return {
+                kind: "blocked",
+                state: result.audit_state,
+                bundle: result.updated_bundle,
+                reason: "Finalization is not converging: deterministic executors kept revisiting " +
+                    `prior artifact states (${cycle.join(" -> ")}). The report has been ` +
+                    "rendered; review whether these obligations are erroneously invalidating each other.",
+            };
+        }
     }
     const bundle = await loadArtifactBundle(params.artifactsDir);
     const state = deriveAuditState(bundle);

package/dist/cli/prompts.js

@@ -68,6 +68,8 @@ export function renderDispatchReviewPrompt(params) {
             "`host_concurrency_limit` records any detected hard host cap that contributed to `wave_size`.",
             "",
             "For each wave: use the `task` tool (or equivalent subagent dispatch) to launch up to `wave_size` subagents in parallel (one per entry), wait for all to finish, then start the next wave.",
+            "",
+            'If a subagent reports a host session/usage limit (e.g. "hit your session limit · resets <time>") instead of submitting its result, do not immediately re-dispatch it: run merge-and-ingest with the results you did get, then wait until the stated reset time before running next-step to re-dispatch the remaining packets. Re-dispatching into an active limit just loses the wave.',
         ]
         : [
             "Read this generated dispatch plan:",

package/dist/cli.js

@@ -26,7 +26,7 @@ import { runAuditCodeMcpServer } from "./mcp/server.js";
 import { scheduleWave, buildProviderModelKey, readQuotaState, resolveLimits, resolveHostActiveSubagentLimit, probeProvider, computeMaxSafeConcurrency, getQuotaStatePath, lookupDiscoveredLimits, setQuotaStateDir, } from "./quota/index.js";
 // Re-exports from extracted modules
 export { resolveHostDispatchCapability, DIRECT_CLI_DEFAULTS, getFlag, hasFlag, getOptionalBooleanFlag, getArtifactsDir, getRootDir, getBatchResultsDir, getMaxRuns, getAgentBatchSize, getParallelWorkers, getTimeoutMs, chunkArray, getUiMode, looksLikeCliFlag, countLines, warnIfNotGitRepo, } from "./cli/args.js";
-import { DIRECT_CLI_DEFAULTS, getFlag, hasFlag, fromBase64Url, taskResultPath, readStdinText, getArtifactsDir, getRootDir, warnIfNotGitRepo, getBatchResultsDir, getMaxRuns, getAgentBatchSize, getParallelWorkers, getTimeoutMs, getExplicitProvider, getHostModel, getHostMaxActiveSubagents, getQuotaProbeMode, resolveRunProviderName, chunkArray, getUiMode, looksLikeCliFlag, countLines, } from "./cli/args.js";
+import { DIRECT_CLI_DEFAULTS, getFlag, hasFlag, fromBase64Url, taskResultPath, isCanonicalResultFilename, readStdinText, getArtifactsDir, getRootDir, warnIfNotGitRepo, getBatchResultsDir, getMaxRuns, getAgentBatchSize, getParallelWorkers, getTimeoutMs, getExplicitProvider, getHostModel, getHostMaxActiveSubagents, getQuotaProbeMode, resolveRunProviderName, chunkArray, getUiMode, looksLikeCliFlag, countLines, } from "./cli/args.js";
 import { WORKER_RESULT_CONTRACT_VERSION, buildWorkerResult, formatAuditResultValidationError, } from "./cli/workerResult.js";
 import { DISPATCH_RESULT_MAP_FILENAME, ACTIVE_DISPATCH_FILENAME, resolveRunScopedArg, loadDispatchResultMap, entriesByTaskId, buildPendingAuditTasks, prepareDispatchArtifacts, } from "./cli/dispatch.js";
 import { buildLineIndex, buildLineIndexForPaths, addFileLineCountHints, } from "./cli/lineIndex.js";
@@ -510,20 +510,29 @@ async function cmdMergeAndIngest(argv) {
     const fallbackByTaskId = new Map();
     for (const filename of files) {
         const filePath = resolve(join(taskResultsDir, filename));
-        if (!expectedPaths.has(filePath)) {
-            spuriousFileCount++;
-            try {
-                const raw = await readFile(filePath, "utf8");
-                const parsed = JSON.parse(raw);
-                if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
-                    const tid = typeof parsed.task_id === "string"
-                        ? String(parsed.task_id) : undefined;
-                    if (tid && !fallbackByTaskId.has(tid)) {
-                        fallbackByTaskId.set(tid, parsed);
-                    }
+        if (expectedPaths.has(filePath))
+            continue;
+        // Not part of this round's plan. Still read it so a current task can be
+        // recovered by task_id (e.g. a subagent wrote a valid result under a
+        // non-assigned name).
+        try {
+            const raw = await readFile(filePath, "utf8");
+            const parsed = JSON.parse(raw);
+            if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+                const tid = typeof parsed.task_id === "string"
+                    ? String(parsed.task_id) : undefined;
+                if (tid && !fallbackByTaskId.has(tid)) {
+                    fallbackByTaskId.set(tid, parsed);
                 }
             }
-            catch { /* not parseable — skip */ }
+        }
+        catch { /* not parseable — skip */ }
+        // Only genuinely stray files are "spurious". Canonical per-task result files
+        // (<stem>_<digest>.json) left by prior deepening rounds in the same
+        // task-results/ dir are legitimate and must not inflate the count or bury
+        // the real stray-file signal (3 -> 191 over a run before this fix).
+        if (!isCanonicalResultFilename(filename)) {
+            spuriousFileCount++;
             process.stderr.write(`[merge-and-ingest] Warning: unexpected file in task-results/: ${filename}\n`);
         }
     }

package/dist/extractors/fileInventory.js

@@ -1,10 +1,23 @@
 import { normalizeExtractorPath } from "./pathPatterns.js";
 import { LANGUAGE_BY_EXTENSION } from "./languageMap.generated.js";
+// The generated linguist map resolves a few common extensions to obscure
+// languages that outrank the everyday one (".md" -> GCC machine description,
+// ".yml"/".yaml" -> MiniYAML). These overrides win over the generated map so the
+// file inventory does not mislabel ordinary docs/config. Keep this list small
+// and limited to extensions whose generated mapping is demonstrably wrong.
+const EXTENSION_LANGUAGE_OVERRIDES = {
+    md: "markdown",
+    markdown: "markdown",
+    yaml: "yaml",
+    yml: "yaml",
+};
 function inferLanguage(path) {
     const normalized = normalizeExtractorPath(path);
     const base = normalized.split("/").pop() ?? normalized;
-    const extension = base.includes(".") ? base.split(".").pop() ?? "" : "";
-    return LANGUAGE_BY_EXTENSION[extension] ?? "unknown";
+    const extension = (base.includes(".") ? base.split(".").pop() ?? "" : "").toLowerCase();
+    return (EXTENSION_LANGUAGE_OVERRIDES[extension] ??
+        LANGUAGE_BY_EXTENSION[extension] ??
+        "unknown");
 }
 export function buildRepoManifest(repositoryName, files) {
     return {

package/dist/extractors/graphManifestEdges.d.ts

@@ -1,14 +1,12 @@
 import type { GraphEdge } from "@audit-tools/shared";
+import { isCargoManifestPath, isGoWorkspaceManifestPath, isMavenPomPath, isPyprojectPath } from "./graphPathUtils.js";
+export { isCargoManifestPath, isGoWorkspaceManifestPath, isMavenPomPath, isPyprojectPath, };
 export declare function extractPackageEntrypointEdges(fromPath: string, content: string, pathLookup: Map<string, string>): GraphEdge[];
 export declare function extractPackageScriptEdges(fromPath: string, content: string, pathLookup: Map<string, string>): GraphEdge[];
-export declare function isGoWorkspaceManifestPath(path: string): boolean;
-export declare function isCargoManifestPath(path: string): boolean;
-export declare function isMavenPomPath(path: string): boolean;
 export declare function extractWorkspacePackageEdges(fromPath: string, content: string, pathLookup: Map<string, string>): GraphEdge[];
 export declare function extractCargoWorkspaceMemberEdges(fromPath: string, content: string, pathLookup: Map<string, string>): GraphEdge[];
 export declare function extractTypescriptProjectReferenceEdges(fromPath: string, content: string, pathLookup: Map<string, string>): GraphEdge[];
 export declare function extractGoWorkspaceModuleEdges(fromPath: string, content: string, pathLookup: Map<string, string>): GraphEdge[];
 export declare function extractMavenModuleEdges(fromPath: string, content: string, pathLookup: Map<string, string>): GraphEdge[];
-export declare function isPyprojectPath(path: string): boolean;
 export declare function extractPyprojectTestpathLinks(fromPath: string, content: string, pathLookup: Map<string, string>): GraphEdge[];
 export declare function extractYamlPathReferenceEdges(fromPath: string, content: string, pathLookup: Map<string, string>): GraphEdge[];

package/dist/extractors/graphManifestEdges.js

@@ -1,5 +1,9 @@
 import { posix } from "node:path";
-import { graphEdge, normalizeGraphPath, resolveCandidate } from "./graphPathUtils.js";
+import { graphEdge, normalizeGraphPath, resolveCandidate, isCargoManifestPath, isGoModuleManifestPath, isGoWorkspaceManifestPath, isMavenPomPath, isPackageManifestPath, isPnpmWorkspaceManifestPath, isPyprojectPath, isTypescriptProjectConfigPath, } from "./graphPathUtils.js";
+// Re-exported for the graph builder, which imports these manifest predicates
+// from here for historical reasons; the canonical definitions live in
+// graphPathUtils.
+export { isCargoManifestPath, isGoWorkspaceManifestPath, isMavenPomPath, isPyprojectPath, };
 const PACKAGE_ENTRYPOINT_EDGE_CONFIDENCE = 0.9;
 const PACKAGE_SCRIPT_EDGE_CONFIDENCE = 0.88;
 const WORKSPACE_PACKAGE_EDGE_CONFIDENCE = 0.86;
@@ -8,9 +12,6 @@ const GO_WORKSPACE_MODULE_EDGE_CONFIDENCE = 0.87;
 const CARGO_WORKSPACE_MEMBER_EDGE_CONFIDENCE = 0.87;
 const MAVEN_MODULE_EDGE_CONFIDENCE = 0.87;
 const PACKAGE_SCRIPT_REFERENCE_PATTERN = /(?:^|[\s"'`])((?:\.{1,2}\/)?(?:[\w.-]+\/)*[\w.-]+\.(?:cjs|cts|js|jsx|mjs|mts|ts|tsx))(?:$|[\s"'`])/gi;
-function isPackageManifestPath(path) {
-    return posix.basename(normalizeGraphPath(path)).toLowerCase() === "package.json";
-}
 function collectPackageEntrypointValues(value, fieldPath, entries) {
     if (typeof value === "string") {
         if (value.trim().length > 0) {
@@ -177,27 +178,6 @@ function packageWorkspacePatterns(content) {
     }
     return patterns;
 }
-function isPnpmWorkspaceManifestPath(path) {
-    return (posix.basename(normalizeGraphPath(path)).toLowerCase() ===
-        "pnpm-workspace.yaml");
-}
-export function isGoWorkspaceManifestPath(path) {
-    return posix.basename(normalizeGraphPath(path)).toLowerCase() === "go.work";
-}
-function isGoModuleManifestPath(path) {
-    return posix.basename(normalizeGraphPath(path)).toLowerCase() === "go.mod";
-}
-export function isCargoManifestPath(path) {
-    return posix.basename(normalizeGraphPath(path)).toLowerCase() === "cargo.toml";
-}
-export function isMavenPomPath(path) {
-    return posix.basename(normalizeGraphPath(path)).toLowerCase() === "pom.xml";
-}
-function isTypescriptProjectConfigPath(path) {
-    const basename = posix.basename(normalizeGraphPath(path)).toLowerCase();
-    return (basename === "tsconfig.json" ||
-        (basename.startsWith("tsconfig.") && basename.endsWith(".json")));
-}
 function stripJsonComments(content) {
     let result = "";
     let inString = false;
@@ -987,9 +967,6 @@ export function extractMavenModuleEdges(fromPath, content, pathLookup) {
 }
 // ─── Pyproject / pytest ───────────────────────────────────────────────────────
 const PYPROJECT_TESTPATHS_LINK_CONFIDENCE = 0.85;
-export function isPyprojectPath(path) {
-    return posix.basename(normalizeGraphPath(path)).toLowerCase() === "pyproject.toml";
-}
 function pyprojectTestpaths(content) {
     const values = [];
     let currentSection = "";

package/dist/extractors/graphPathUtils.d.ts

@@ -15,3 +15,19 @@ export declare function resolveReferenceLiteral(fromPath: string, literal: strin
 export declare function isJsonSchemaPath(path: string): boolean;
 /** True for pytest `conftest.py` files. */
 export declare function isPytestConftestPath(path: string): boolean;
+/** True for `package.json` files. */
+export declare function isPackageManifestPath(path: string): boolean;
+/** True for `tsconfig.json` / `tsconfig.<name>.json` project config files. */
+export declare function isTypescriptProjectConfigPath(path: string): boolean;
+/** True for Go `go.mod` module manifests. */
+export declare function isGoModuleManifestPath(path: string): boolean;
+/** True for Go `go.work` workspace manifests. */
+export declare function isGoWorkspaceManifestPath(path: string): boolean;
+/** True for Rust `Cargo.toml` manifests. */
+export declare function isCargoManifestPath(path: string): boolean;
+/** True for Maven `pom.xml` manifests. */
+export declare function isMavenPomPath(path: string): boolean;
+/** True for Python `pyproject.toml` manifests. */
+export declare function isPyprojectPath(path: string): boolean;
+/** True for `pnpm-workspace.yaml` workspace manifests. */
+export declare function isPnpmWorkspaceManifestPath(path: string): boolean;

package/dist/extractors/graphPathUtils.js

@@ -131,3 +131,43 @@ export function isJsonSchemaPath(path) {
 export function isPytestConftestPath(path) {
     return posix.basename(normalizeGraphPath(path)).toLowerCase() === "conftest.py";
 }
+// ---- Build-manifest path predicates ----
+// One canonical set, shared by the graph manifest-edge extractor and the
+// packetizer. Each preserves path case (so distinct files differing only by
+// case are never collapsed) and matches the manifest filename
+// case-insensitively, since manifest names are conventionally lowercase.
+/** True for `package.json` files. */
+export function isPackageManifestPath(path) {
+    return posix.basename(normalizeGraphPath(path)).toLowerCase() === "package.json";
+}
+/** True for `tsconfig.json` / `tsconfig.<name>.json` project config files. */
+export function isTypescriptProjectConfigPath(path) {
+    const basename = posix.basename(normalizeGraphPath(path)).toLowerCase();
+    return (basename === "tsconfig.json" ||
+        (basename.startsWith("tsconfig.") && basename.endsWith(".json")));
+}
+/** True for Go `go.mod` module manifests. */
+export function isGoModuleManifestPath(path) {
+    return posix.basename(normalizeGraphPath(path)).toLowerCase() === "go.mod";
+}
+/** True for Go `go.work` workspace manifests. */
+export function isGoWorkspaceManifestPath(path) {
+    return posix.basename(normalizeGraphPath(path)).toLowerCase() === "go.work";
+}
+/** True for Rust `Cargo.toml` manifests. */
+export function isCargoManifestPath(path) {
+    return posix.basename(normalizeGraphPath(path)).toLowerCase() === "cargo.toml";
+}
+/** True for Maven `pom.xml` manifests. */
+export function isMavenPomPath(path) {
+    return posix.basename(normalizeGraphPath(path)).toLowerCase() === "pom.xml";
+}
+/** True for Python `pyproject.toml` manifests. */
+export function isPyprojectPath(path) {
+    return posix.basename(normalizeGraphPath(path)).toLowerCase() === "pyproject.toml";
+}
+/** True for `pnpm-workspace.yaml` workspace manifests. */
+export function isPnpmWorkspaceManifestPath(path) {
+    return (posix.basename(normalizeGraphPath(path)).toLowerCase() ===
+        "pnpm-workspace.yaml");
+}

package/dist/orchestrator/artifactMetadata.d.ts

@@ -1,4 +1,5 @@
 import type { ArtifactMetadataManifest } from "../types/artifactMetadata.js";
 import type { ArtifactBundle } from "../io/artifacts.js";
 export declare function present(bundle: ArtifactBundle, artifactName: string): boolean;
+export declare function computeArtifactStateSignature(bundle: ArtifactBundle): string;
 export declare function computeArtifactMetadata(bundle: ArtifactBundle, previous?: ArtifactMetadataManifest, updatedArtifacts?: Iterable<string>): ArtifactMetadataManifest;

package/dist/orchestrator/artifactMetadata.js

@@ -1,3 +1,4 @@
+import { createHash } from "node:crypto";
 import { getArtifactValue } from "../io/artifacts.js";
 import { buildReverseDependencyMap, hashArtifactValue, stableStringify, } from "./artifactFreshness.js";
 const REVERSE_DEPENDENCY_MAP = buildReverseDependencyMap();
@@ -31,6 +32,20 @@ export function present(bundle, artifactName) {
     const value = getArtifactValue(bundle, artifactName);
     return value !== undefined && value !== null;
 }
+// Stable signature of the overall artifact state, keyed on per-artifact CONTENT
+// hashes — deliberately NOT revisions, which only ever increment. A
+// deterministic advance loop that revisits a signature it already produced this
+// run is cycling (e.g. a runtime_validation <-> synthesis staleness ping-pong);
+// the content-hash basis catches that even while revisions churn underneath.
+export function computeArtifactStateSignature(bundle) {
+    const metadata = bundle.artifact_metadata;
+    if (!metadata)
+        return "no-metadata";
+    const entries = Object.entries(metadata.artifacts)
+        .map(([name, entry]) => `${name}:${entry.content_hash}`)
+        .sort();
+    return createHash("sha256").update(entries.join("\n")).digest("hex");
+}
 export function computeArtifactMetadata(bundle, previous, updatedArtifacts = []) {
     const artifacts = {};
     const updated = new Set(updatedArtifacts);

package/dist/orchestrator/flowRequeue.js

@@ -1,17 +1,4 @@
-function isLens(value) {
-    return [
-        "correctness",
-        "architecture",
-        "maintainability",
-        "security",
-        "reliability",
-        "performance",
-        "data_integrity",
-        "tests",
-        "operability",
-        "config_deployment",
-    ].includes(String(value));
-}
+import { isLens } from "../types.js";
 function getExternalSignalPaths(externalAnalyzerResults) {
     const results = Array.isArray(externalAnalyzerResults?.results)
         ? externalAnalyzerResults.results

package/dist/orchestrator/reviewPacketSizing.d.ts

@@ -0,0 +1,25 @@
+import type { AuditTask } from "../types.js";
+export declare const DEFAULT_MAX_TASKS_PER_PACKET = 0;
+export declare const ESTIMATED_TOKENS_PER_LINE = 4;
+export declare const ESTIMATED_PACKET_PROMPT_TOKENS = 900;
+export declare const DEFAULT_TARGET_PACKET_TOKENS: number;
+/**
+ * Build a path → size_bytes index from a repo manifest. Byte counts are
+ * recorded during intake, so this never reads files. Review packet token
+ * estimates are derived from these bytes (Phase 2) instead of counted lines.
+ */
+export declare function sizeIndexFromManifest(repoManifest?: {
+    files: ReadonlyArray<{
+        path: string;
+        size_bytes: number;
+    }>;
+}): Record<string, number>;
+/** Estimated content tokens for one task across all of its files. */
+export declare function taskContentTokens(task: AuditTask, sizeIndex?: Record<string, number>, lineIndex?: Record<string, number>): number;
+/**
+ * Estimated content tokens across a set of file paths, resolving an owning task
+ * per path so the line fallback can read its `file_line_counts`. Shared files
+ * are counted once.
+ */
+export declare function fileGroupContentTokens(filePaths: Iterable<string>, tasks: AuditTask[], sizeIndex?: Record<string, number>, lineIndex?: Record<string, number>): number;
+export declare function estimateTaskGroupTokens(tasks: AuditTask[], sizeIndex?: Record<string, number>, lineIndex?: Record<string, number>): number;

package/dist/orchestrator/reviewPacketSizing.js

@@ -0,0 +1,60 @@
+import { estimateTokensFromBytes } from "@audit-tools/shared";
+// Per-packet sizing / token-budget arithmetic for review packetization,
+// extracted from reviewPackets.ts. Estimates derive from manifest byte counts
+// (recorded at intake) with a line-count fallback for manually built tasks.
+export const DEFAULT_MAX_TASKS_PER_PACKET = 0;
+const DEFAULT_TARGET_PACKET_LINES = 8000;
+export const ESTIMATED_TOKENS_PER_LINE = 4;
+export const ESTIMATED_PACKET_PROMPT_TOKENS = 900;
+// Default per-packet content-token budget. Kept equal to the legacy
+// line-target × per-line estimate so byte-derived sizing lands on the same
+// thresholds as the old line-based sizing when the line fallback is in effect.
+export const DEFAULT_TARGET_PACKET_TOKENS = DEFAULT_TARGET_PACKET_LINES * ESTIMATED_TOKENS_PER_LINE;
+/**
+ * Build a path → size_bytes index from a repo manifest. Byte counts are
+ * recorded during intake, so this never reads files. Review packet token
+ * estimates are derived from these bytes (Phase 2) instead of counted lines.
+ */
+export function sizeIndexFromManifest(repoManifest) {
+    if (!repoManifest)
+        return {};
+    return Object.fromEntries(repoManifest.files.map((file) => [file.path, file.size_bytes]));
+}
+/**
+ * Estimated content tokens for a single file. Prefers a byte-based estimate
+ * from `sizeIndex` (sourced from the repo manifest); falls back to the legacy
+ * line-based estimate when no positive byte count is available (e.g. manually
+ * built tasks in tests, or paths absent from the manifest).
+ */
+function pathContentTokens(owner, path, sizeIndex, lineIndex) {
+    const bytes = sizeIndex?.[path];
+    if (typeof bytes === "number" && bytes > 0) {
+        return estimateTokensFromBytes(bytes);
+    }
+    const lines = owner?.file_line_counts?.[path] ?? lineIndex?.[path] ?? 0;
+    return lines * ESTIMATED_TOKENS_PER_LINE;
+}
+/** Estimated content tokens for one task across all of its files. */
+export function taskContentTokens(task, sizeIndex, lineIndex) {
+    return task.file_paths.reduce((sum, path) => sum + pathContentTokens(task, path, sizeIndex, lineIndex), 0);
+}
+/**
+ * Estimated content tokens across a set of file paths, resolving an owning task
+ * per path so the line fallback can read its `file_line_counts`. Shared files
+ * are counted once.
+ */
+export function fileGroupContentTokens(filePaths, tasks, sizeIndex, lineIndex) {
+    let total = 0;
+    for (const path of filePaths) {
+        const owner = tasks.find((task) => task.file_paths.includes(path));
+        total += pathContentTokens(owner, path, sizeIndex, lineIndex);
+    }
+    return total;
+}
+export function estimateTaskGroupTokens(tasks, sizeIndex, lineIndex) {
+    let contentTokens = 0;
+    for (const task of tasks) {
+        contentTokens += taskContentTokens(task, sizeIndex, lineIndex);
+    }
+    return ESTIMATED_PACKET_PROMPT_TOKENS + contentTokens;
+}

package/dist/orchestrator/reviewPackets.d.ts

@@ -1,20 +1,10 @@
 import type { AuditTask } from "../types.js";
 import type { AuditPlanMetrics, ReviewPacket } from "../types/reviewPlanning.js";
 import type { GraphBundle, GraphEdge } from "@audit-tools/shared";
-export declare const ESTIMATED_TOKENS_PER_LINE = 4;
-export declare const ESTIMATED_PACKET_PROMPT_TOKENS = 900;
-/**
- * Build a path → size_bytes index from a repo manifest. Byte counts are
- * recorded during intake, so this never reads files. Review packet token
- * estimates are derived from these bytes (Phase 2) instead of counted lines.
- */
-export declare function sizeIndexFromManifest(repoManifest?: {
-    files: ReadonlyArray<{
-        path: string;
-        size_bytes: number;
-    }>;
-}): Record<string, number>;
-export declare function estimateTaskGroupTokens(tasks: AuditTask[], sizeIndex?: Record<string, number>, lineIndex?: Record<string, number>): number;
+import { normalizeGraphPath } from "../extractors/graphPathUtils.js";
+export { normalizeGraphPath };
+import { ESTIMATED_TOKENS_PER_LINE, ESTIMATED_PACKET_PROMPT_TOKENS, sizeIndexFromManifest, estimateTaskGroupTokens } from "./reviewPacketSizing.js";
+export { ESTIMATED_TOKENS_PER_LINE, ESTIMATED_PACKET_PROMPT_TOKENS, sizeIndexFromManifest, estimateTaskGroupTokens, };
 /**
  * Fan-in / fan-out degree above which a node is treated as a hub. Exported so
  * the Phase 3 delta-scope expansion skips the same hubs that packet planning
@@ -40,7 +30,6 @@ export interface BuildReviewPacketOptions {
      */
     maxContextTokens?: number;
 }
-export declare function normalizeGraphPath(path: string): string;
 export declare function collectGraphEdges(graphBundle?: GraphBundle): GraphEdge[];
 export declare function graphEdgeConfidence(edge: GraphEdge): number;
 export interface GraphDegreeIndex {

package/dist/orchestrator/reviewPackets.js

@@ -1,63 +1,14 @@
 import { createHash } from "node:crypto";
-import { estimateTokensFromBytes, isRecord } from "@audit-tools/shared";
+import { isRecord } from "@audit-tools/shared";
 import { LENS_ORDER, priorityRank, sortLenses } from "./auditTaskUtils.js";
 import { UnionFind } from "./unionFind.js";
-const DEFAULT_MAX_TASKS_PER_PACKET = 0;
-const DEFAULT_TARGET_PACKET_LINES = 8000;
-export const ESTIMATED_TOKENS_PER_LINE = 4;
-export const ESTIMATED_PACKET_PROMPT_TOKENS = 900;
-// Default per-packet content-token budget. Kept equal to the legacy
-// line-target × per-line estimate so byte-derived sizing lands on the same
-// thresholds as the old line-based sizing when the line fallback is in effect.
-const DEFAULT_TARGET_PACKET_TOKENS = DEFAULT_TARGET_PACKET_LINES * ESTIMATED_TOKENS_PER_LINE;
-/**
- * Build a path → size_bytes index from a repo manifest. Byte counts are
- * recorded during intake, so this never reads files. Review packet token
- * estimates are derived from these bytes (Phase 2) instead of counted lines.
- */
-export function sizeIndexFromManifest(repoManifest) {
-    if (!repoManifest)
-        return {};
-    return Object.fromEntries(repoManifest.files.map((file) => [file.path, file.size_bytes]));
-}
-/**
- * Estimated content tokens for a single file. Prefers a byte-based estimate
- * from `sizeIndex` (sourced from the repo manifest); falls back to the legacy
- * line-based estimate when no positive byte count is available (e.g. manually
- * built tasks in tests, or paths absent from the manifest).
- */
-function pathContentTokens(owner, path, sizeIndex, lineIndex) {
-    const bytes = sizeIndex?.[path];
-    if (typeof bytes === "number" && bytes > 0) {
-        return estimateTokensFromBytes(bytes);
-    }
-    const lines = owner?.file_line_counts?.[path] ?? lineIndex?.[path] ?? 0;
-    return lines * ESTIMATED_TOKENS_PER_LINE;
-}
-/** Estimated content tokens for one task across all of its files. */
-function taskContentTokens(task, sizeIndex, lineIndex) {
-    return task.file_paths.reduce((sum, path) => sum + pathContentTokens(task, path, sizeIndex, lineIndex), 0);
-}
-/**
- * Estimated content tokens across a set of file paths, resolving an owning task
- * per path so the line fallback can read its `file_line_counts`. Shared files
- * are counted once.
- */
-function fileGroupContentTokens(filePaths, tasks, sizeIndex, lineIndex) {
-    let total = 0;
-    for (const path of filePaths) {
-        const owner = tasks.find((task) => task.file_paths.includes(path));
-        total += pathContentTokens(owner, path, sizeIndex, lineIndex);
-    }
-    return total;
-}
-export function estimateTaskGroupTokens(tasks, sizeIndex, lineIndex) {
-    let contentTokens = 0;
-    for (const task of tasks) {
-        contentTokens += taskContentTokens(task, sizeIndex, lineIndex);
-    }
-    return ESTIMATED_PACKET_PROMPT_TOKENS + contentTokens;
-}
+import { normalizeGraphPath, isPackageManifestPath, isTypescriptProjectConfigPath, isGoModuleManifestPath, isCargoManifestPath, isMavenPomPath, } from "../extractors/graphPathUtils.js";
+// Re-exported for scope.ts, which imports the canonical path normalizer here.
+export { normalizeGraphPath };
+import { DEFAULT_MAX_TASKS_PER_PACKET, DEFAULT_TARGET_PACKET_TOKENS, ESTIMATED_TOKENS_PER_LINE, ESTIMATED_PACKET_PROMPT_TOKENS, sizeIndexFromManifest, fileGroupContentTokens, taskContentTokens, estimateTaskGroupTokens, } from "./reviewPacketSizing.js";
+// Sizing / token-budget arithmetic moved to reviewPacketSizing.ts; re-exported
+// here for the modules that import it from reviewPackets.
+export { ESTIMATED_TOKENS_PER_LINE, ESTIMATED_PACKET_PROMPT_TOKENS, sizeIndexFromManifest, estimateTaskGroupTokens, };
 const PACKET_EXPANSION_MIN_CONFIDENCE = 0.65;
 /**
  * Fan-in / fan-out degree above which a node is treated as a hub. Exported so
@@ -132,9 +83,6 @@ function buildTaskGroups(tasks) {
     }
     return groups;
 }
-export function normalizeGraphPath(path) {
-    return path.replace(/\\/g, "/").replace(/^\.\//, "").toLowerCase();
-}
 export function collectGraphEdges(graphBundle) {
     if (!graphBundle?.graphs) {
         return [];
@@ -429,28 +377,11 @@ function buildSubsystemClusterEdges(groups, graphEdges, lineIndex, sizeIndex, ta
 }
 function packageManifestRoot(path) {
     const segments = normalizeGraphPath(path).split("/").filter(Boolean);
-    if (segments.at(-1) !== "package.json" || segments.length < 2) {
+    if (!isPackageManifestPath(path) || segments.length < 2) {
         return undefined;
     }
     return segments.slice(0, -1).join("/");
 }
-function isTypescriptProjectConfigPath(path) {
-    const basename = normalizeGraphPath(path).split("/").at(-1);
-    if (!basename) {
-        return false;
-    }
-    return (basename === "tsconfig.json" ||
-        (basename.startsWith("tsconfig.") && basename.endsWith(".json")));
-}
-function isGoModuleManifestPath(path) {
-    return normalizeGraphPath(path).split("/").at(-1) === "go.mod";
-}
-function isCargoManifestPath(path) {
-    return normalizeGraphPath(path).split("/").at(-1) === "cargo.toml";
-}
-function isMavenPomPath(path) {
-    return normalizeGraphPath(path).split("/").at(-1) === "pom.xml";
-}
 function configFileRoot(path, predicate) {
     const segments = normalizeGraphPath(path).split("/").filter(Boolean);
     if (!predicate(path) || segments.length < 2) {

package/dist/orchestrator.js

@@ -1,3 +1,4 @@
+import { isLens } from "./types.js";
 const DEFAULT_LENS_ORDER = [
     "correctness",
     "architecture",
@@ -10,13 +11,9 @@ const DEFAULT_LENS_ORDER = [
     "operability",
     "config_deployment",
 ];
-const VALID_LENSES = new Set(DEFAULT_LENS_ORDER);
 function isRecord(value) {
     return value !== null && typeof value === "object";
 }
-function isLens(value) {
-    return typeof value === "string" && VALID_LENSES.has(value);
-}
 function assertStringArray(value, label) {
     if (!Array.isArray(value) || value.some((item) => typeof item !== "string")) {
         throw new TypeError(`${label} must be an array of strings.`);

package/dist/quota/index.d.ts

@@ -1,7 +1,7 @@
 import type { ResolvedLimits as _ResolvedLimits, LimitConfidence as _LimitConfidence, LimitSource as _LimitSource, HostConcurrencyLimit as _HostConcurrencyLimit, QuotaUsageSnapshot as _QuotaUsageSnapshot, BackoffState as _BackoffState } from "@audit-tools/shared";
 export { resolveLimits, lookupKnownModel, classifyProvider, readQuotaState, writeQuotaState, computeMaxSafeConcurrency, recordWaveOutcome, getQuotaStatePath, decayWeight, applyDecayToEntry, computeBackoffCooldownMs, computeBackoffFailureWeight, computeRampUpConcurrency, setQuotaStateDir, detectRateLimitError, computeCooldownUntil, acquireLock, releaseLock, withFileLock, FileLockTimeoutError, runSlidingWindow, LearnedQuotaSource, CompositeQuotaSource, GenericErrorParser, ClaudeCodeErrorParser, getErrorParserForProvider, } from "@audit-tools/shared";
 export type { LimitResolutionResult, ResolveLimitsOptions, ProviderType, ResolvedLimits, LimitSource, LimitConfidence, HostConcurrencyLimit, HostConcurrencyLimitSource, QuotaState, QuotaStateEntry, ConcurrencyBucket, WaveSchedule, BackoffState, ObservedWaveOutcome, RateLimitDetectionResult, SlidingWindowResult, QuotaSource, QuotaUsageSnapshot, ErrorParser, } from "@audit-tools/shared";
-export { scheduleWave, buildProviderModelKey } from "@audit-tools/shared";
+export { scheduleWave, buildProviderModelKey, resolveHostModel } from "@audit-tools/shared";
 export type { ScheduleWaveOptions } from "@audit-tools/shared";
 export { detectHostActiveSubagentLimit, resolveHostActiveSubagentLimit, } from "./hostLimits.js";
 export { probeProvider } from "./probe.js";

package/dist/quota/index.js

@@ -3,7 +3,7 @@ export { resolveLimits, lookupKnownModel, classifyProvider, readQuotaState, writ
 // Wave scheduler now lives in @audit-tools/shared (single source of truth for
 // both orchestrators). Auditor passes its discovered-limits via the structural
 // DiscoveredRateLimitsInput the shared scheduler accepts.
-export { scheduleWave, buildProviderModelKey } from "@audit-tools/shared";
+export { scheduleWave, buildProviderModelKey, resolveHostModel } from "@audit-tools/shared";
 // Auditor-specific: probe, discovered limits, header extraction
 export { detectHostActiveSubagentLimit, resolveHostActiveSubagentLimit, } from "./hostLimits.js";
 export { probeProvider } from "./probe.js";

package/dist/types/workerSession.d.ts

@@ -23,10 +23,8 @@ export interface WorkerTask {
     runtime_updates_path?: string;
     external_analyzer_results_path?: string;
     worker_command_mode?: WorkerCommandMode;
-    /** @deprecated Prefer worker_command_mode: "deferred" for new task files. */
-    skip_worker_command?: boolean;
     timeout_ms?: number;
     max_retries?: number;
     access?: AccessDeclaration;
 }
-export declare function usesDeferredWorkerCommand(task: Pick<WorkerTask, "worker_command_mode" | "skip_worker_command">): boolean;
+export declare function usesDeferredWorkerCommand(task: Pick<WorkerTask, "worker_command_mode">): boolean;

package/dist/types.d.ts

@@ -1,5 +1,11 @@
 import type { Finding as SharedFinding } from "@audit-tools/shared";
 export type Lens = "correctness" | "architecture" | "maintainability" | "security" | "reliability" | "performance" | "data_integrity" | "tests" | "operability" | "config_deployment" | "observability";
+/** Canonical list of every valid {@link Lens}. Single source of truth — import
+ * {@link isLens} / `ALL_LENSES` instead of hand-copying lens lists into local
+ * guards, which drift (a copy omitting "observability" caused it to be wrongly
+ * rejected in flow requeue). */
+export declare const ALL_LENSES: readonly Lens[];
+export declare function isLens(value: unknown): value is Lens;
 export interface FileRecord {
     path: string;
     language: string;

package/dist/types.js

@@ -1 +1,20 @@
-export {};
+/** Canonical list of every valid {@link Lens}. Single source of truth — import
+ * {@link isLens} / `ALL_LENSES` instead of hand-copying lens lists into local
+ * guards, which drift (a copy omitting "observability" caused it to be wrongly
+ * rejected in flow requeue). */
+export const ALL_LENSES = [
+    "correctness",
+    "architecture",
+    "maintainability",
+    "security",
+    "reliability",
+    "performance",
+    "data_integrity",
+    "tests",
+    "operability",
+    "config_deployment",
+    "observability",
+];
+export function isLens(value) {
+    return (typeof value === "string" && ALL_LENSES.includes(value));
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auditor-lambda",
-  "version": "0.6.11",
+  "version": "0.7.0",
   "private": false,
   "description": "Portable hybrid code-auditing framework for arbitrary repositories.",
   "type": "module",