auditor-lambda 0.6.5 → 0.6.7

package/audit-code-wrapper-lib.mjs

@@ -2781,9 +2781,14 @@ async function runDistCommandInline(commandName, argv) {
   await mkdir(artifactsDir, { recursive: true });
   await ensureBuilt();
 
-  const distUrl = new URL(`file:///${distEntry.replace(/\\/g, '/')}`);
+  // Import the module that exports runCli (dist/cli.js). dist/index.js has no
+  // exports — it is the bare entrypoint that runs `runCli(process.argv)` as an
+  // import side effect — so importing it here both fails to provide runCli and
+  // double-starts the command from this process's argv.
+  const distCliEntry = join(repoRoot, 'dist', 'cli.js');
+  const distUrl = new URL(`file:///${distCliEntry.replace(/\\/g, '/')}`);
   const cli = await import(distUrl.href);
-  await cli.runCli([process.execPath, distEntry, commandName, ...commandArgs]);
+  await cli.runCli([process.execPath, distCliEntry, commandName, ...commandArgs]);
 }
 
 export async function runAuditCodeWrapper({

package/dist/cli/prompts.js

@@ -22,9 +22,12 @@ export function mergeAndIngestCommand(artifactsDir, runId) {
 export function renderDispatchReviewPrompt(params) {
     const mergeCommand = mergeAndIngestCommand(params.artifactsDir, params.activeReviewRun.run_id);
     const continueCommand = nextStepCommand(params.root, params.artifactsDir);
+    // Only mention model_hint when the host can actually act on it. When it
+    // cannot, the field is left as inert plan metadata rather than surfacing a
+    // contradictory "here is model_hint, now ignore it" instruction.
     const modelLine = params.hostCanSelectSubagentModel
         ? "When launching each subagent, map `entry.model_hint.tier` (`small`, `standard`, `deep`) to an available host model without asking the user for model names."
-        : "Ignore `entry.model_hint`; this host did not report per-subagent model selection.";
+        : null;
     const toolsLine = params.hostCanRestrictSubagentTools
         ? "Restrict review subagents to read/search plus the packet submit command named in their prompt. Do not give them source edit/write tools."
         : "Do not ask the user about per-subagent tool restrictions; this host did not report a callable restriction facility.";
@@ -59,7 +62,7 @@ export function renderDispatchReviewPrompt(params) {
         "",
         '  Read and follow the audit instructions in: <entry.prompt_path>',
         "",
-        modelLine,
+        ...(modelLine ? [modelLine] : []),
         toolsLine,
         "",
         "Each subagent must submit its packet through the submit command printed in its packet prompt and stop after successful submission.",

package/dist/cli/steps.d.ts

@@ -8,7 +8,15 @@ export interface StepArtifact {
     prompt_path: string;
     status: StepStatus;
     run_id: string | null;
+    /** Shell commands the host may run for this step. */
     allowed_commands: string[];
+    /**
+     * MCP tool names equivalent to `allowed_commands`, for hosts driving the
+     * backend through the MCP adapter. Omitted when the step has no MCP
+     * equivalents, so a shell host never has to guess which list entries are
+     * tool names versus runnable commands.
+     */
+    allowed_mcp_tools?: string[];
     stop_condition: string;
     repo_root: string;
     artifacts_dir: string;
@@ -21,6 +29,7 @@ export declare function writeCurrentStep(params: {
     status: StepStatus;
     runId: string | null;
     allowedCommands: string[];
+    allowedMcpTools?: string[];
     stopCondition: string;
     repoRoot: string;
     artifactPaths: Record<string, string | null>;

package/dist/cli/steps.js

@@ -15,6 +15,9 @@ export async function writeCurrentStep(params) {
         status: params.status,
         run_id: params.runId,
         allowed_commands: params.allowedCommands,
+        ...(params.allowedMcpTools && params.allowedMcpTools.length > 0
+            ? { allowed_mcp_tools: params.allowedMcpTools }
+            : {}),
         stop_condition: params.stopCondition,
         repo_root: params.repoRoot,
         artifacts_dir: params.artifactsDir,

package/dist/cli.js

@@ -935,12 +935,8 @@ async function renderSemanticReviewStep(params) {
         stepKind: "dispatch_review",
         status: "ready",
         runId: activeReviewRun.run_id,
-        allowedCommands: [
-            "auditor_merge_and_ingest",
-            "auditor_continue_audit",
-            mergeCommand,
-            continueCommand,
-        ],
+        allowedCommands: [mergeCommand, continueCommand],
+        allowedMcpTools: ["auditor_merge_and_ingest", "auditor_continue_audit"],
         stopCondition: "Dispatch every packet, run merge-and-ingest once, then run next-step.",
         repoRoot: root,
         artifactPaths: {

package/dist/quota/scheduler.js

@@ -87,6 +87,14 @@ export function scheduleWave(options) {
                 : computeMaxSafeConcurrency(quotaStateEntry, halfLifeHours);
             waveSize = Math.min(waveSize, learnedCap);
         }
+        else if (hostConcurrencyLimit !== null) {
+            // The host explicitly reported its active-subagent capacity. That is a
+            // real concurrency signal, so it supersedes the conservative
+            // unknown-provider fallback (which exists only when we have no signal at
+            // all). Leaving waveSize untouched here lets applyHostConcurrencyLimit()
+            // below enforce the reported limit as the hard ceiling, while any RPM/TPM
+            // caps applied above still bind.
+        }
         else {
             const providerType = classifyProvider(providerName);
             const fallbackCap = providerType === "local"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auditor-lambda",
-  "version": "0.6.5",
+  "version": "0.6.7",
   "private": false,
   "description": "Portable hybrid code-auditing framework for arbitrary repositories.",
   "type": "module",

package/skills/audit-code/SKILL.md

@@ -83,10 +83,12 @@ audit-code
 
 from the target repository root.
 
-When developing inside the `auditor-lambda` repository itself, prefer:
+When developing `auditor-lambda` itself, prefer the local wrapper at
+`packages/audit-code/audit-code.mjs` (there is no `audit-code.mjs` at the
+monorepo root):
 
 ```bash
-node audit-code.mjs
+node packages/audit-code/audit-code.mjs   # from the monorepo root
 ```
 
 That keeps the run pinned to the local wrapper and local `dist/` output instead

package/skills/audit-code/audit-code.prompt.md

@@ -17,22 +17,30 @@ First, make sure the repository has current local audit assets:
 audit-code ensure --quiet
 ```
 
-Inside the `auditor-lambda` repository itself, use:
+When developing `auditor-lambda` itself, the entrypoint lives at
+`packages/audit-code/audit-code.mjs` (there is no `audit-code.mjs` at the
+monorepo root). From the monorepo root use:
 
 ```bash
-node audit-code.mjs ensure --quiet
+node packages/audit-code/audit-code.mjs ensure --quiet
 ```
 
-Then ask the backend for exactly one next step:
+Then ask the backend for exactly one next step. This host can dispatch review
+subagents in parallel (via the `Agent`/`task` tool), so report that capacity on
+every `next-step` call — otherwise the backend assumes it cannot parallelize and
+sizes dispatch waves to one packet at a time:
 
 ```bash
-audit-code next-step
+audit-code next-step --host-max-active-subagents 4
 ```
 
-Inside the `auditor-lambda` repository itself, use:
+`4` is a safe default for this host; raise it for more parallelism or lower it
+under rate-limit pressure. The backend's learned quota adapts from there.
+
+When developing `auditor-lambda` itself, from the monorepo root use:
 
 ```bash
-node audit-code.mjs next-step
+node packages/audit-code/audit-code.mjs next-step --host-max-active-subagents 4
 ```
 
 Read the returned JSON only far enough to find `prompt_path`, then read and
@@ -45,7 +53,8 @@ Use MCP tools only as a compatibility adapter when direct shell access to
 `continue_audit` tools return the same one-step contract; they are not a
 separate orchestration path.
 
-When a step prompt tells you to continue, run `audit-code next-step` again and
-follow only the newly returned `prompt_path`.
+When a step prompt tells you to continue, run
+`audit-code next-step --host-max-active-subagents 4` again and follow only the
+newly returned `prompt_path`.
 
 Stop when the current step prompt tells you to stop.