auditor-lambda 0.6.9 → 0.6.10

package/dist/cli/auditStep.d.ts

@@ -0,0 +1,63 @@
+import type { AuditResult } from "../types.js";
+import type { AnalyzerSetting } from "@audit-tools/shared";
+import type { RuntimeValidationReport } from "../types/runtimeValidation.js";
+import type { ExternalAnalyzerResults } from "../types/externalAnalyzer.js";
+export declare function runAuditStep(options: {
+    root: string;
+    artifactsDir: string;
+    preferredExecutor?: string;
+    auditResultsPath?: string;
+    runtimeUpdatesPath?: string;
+    externalAnalyzerPath?: string;
+    narrativeResultsPath?: string;
+    edgeReasoningResultsPath?: string;
+    analyzers?: Record<string, AnalyzerSetting>;
+    graphLlmEdgeReasoning?: boolean;
+    since?: string;
+    opentoken?: boolean;
+    runLog?: boolean;
+}): Promise<import("../orchestrator/advance.js").AdvanceAuditResult>;
+export declare function ingestBatchAuditResults(options: {
+    root: string;
+    artifactsDir: string;
+    batchDir: string;
+}): Promise<{
+    batchFiles: string[];
+    bundle: Partial<{
+        repo_manifest: import("../types.js").RepoManifest;
+        file_disposition: import("@audit-tools/shared").FileDisposition;
+        auto_fixes_applied: unknown;
+        unit_manifest: import("../types.js").UnitManifest;
+        graph_bundle: import("@audit-tools/shared").GraphBundle;
+        surface_manifest: import("@audit-tools/shared").SurfaceManifest;
+        critical_flows: import("@audit-tools/shared").CriticalFlowManifest;
+        flow_coverage: import("../types/flowCoverage.js").FlowCoverageManifest;
+        risk_register: import("@audit-tools/shared").RiskRegister;
+        design_assessment: import("../types/designAssessment.js").DesignAssessment;
+        analyzer_capability: import("../types/analyzerCapability.js").AnalyzerCapabilityRecord;
+        scope: import("../types/auditScope.js").AuditScopeManifest;
+        coverage_matrix: import("../types.js").CoverageMatrix;
+        runtime_validation_tasks: import("../types/runtimeValidation.js").RuntimeValidationTaskManifest;
+        runtime_validation_report: RuntimeValidationReport;
+        external_analyzer_results: ExternalAnalyzerResults;
+        syntax_resolution_status: unknown;
+        audit_results: AuditResult[];
+        audit_tasks: import("../types.js").AuditTask[];
+        audit_plan_metrics: import("../types/reviewPlanning.js").AuditPlanMetrics;
+        review_packets: import("../types/reviewPlanning.js").ReviewPacket[];
+        requeue_tasks: import("../types.js").AuditTask[];
+        audit_report: string;
+        audit_findings: import("@audit-tools/shared").AuditFindingsReport;
+        synthesis_narrative: import("../types/synthesisNarrative.js").SynthesisNarrativeRecord;
+        audit_state: import("../types/auditState.js").AuditState;
+        artifact_metadata: import("../types/artifactMetadata.js").ArtifactMetadataManifest;
+        tooling_manifest: import("../types/toolingManifest.js").ToolingManifest;
+    }>;
+    audit_state: import("../types/auditState.js").AuditState;
+    selected_obligation: string | null;
+    selected_executor: string;
+    progress_made: boolean;
+    artifacts_written: string[];
+    progress_summary: string;
+    next_likely_step: string | null;
+}>;

package/dist/cli/auditStep.js

@@ -0,0 +1,133 @@
+import { rename } from "node:fs/promises";
+import { basename, dirname, join } from "node:path";
+import { readJsonFile, RunLogger } from "@audit-tools/shared";
+import { loadArtifactBundle, writeCoreArtifacts, } from "../io/artifacts.js";
+import { advanceAudit } from "../orchestrator/advance.js";
+import { deriveAuditState } from "../orchestrator/state.js";
+import { decideNextStep } from "../orchestrator/nextStep.js";
+import { sizeIndexFromManifest } from "../orchestrator/reviewPackets.js";
+import { validateAuditResults, formatAuditResultIssues, } from "../validation/auditResults.js";
+import { formatAuditResultValidationError } from "./workerResult.js";
+import { looksLikeCliFlag, listBatchResultFiles } from "./args.js";
+import { buildLineIndex } from "./lineIndex.js";
+async function maybeArchiveLegacyPendingResults(auditResultsPath) {
+    if (!auditResultsPath || basename(auditResultsPath) !== "worker_results_pending.json") {
+        return undefined;
+    }
+    const archivedPath = join(dirname(auditResultsPath), `worker_results_submitted_${new Date().toISOString().replace(/[:.]/g, "-")}.json`);
+    try {
+        await rename(auditResultsPath, archivedPath);
+        return archivedPath;
+    }
+    catch (error) {
+        process.stderr.write(`[audit-results cleanup] failed to archive ${auditResultsPath}: ${error instanceof Error ? error.message : String(error)}\n`);
+        return undefined;
+    }
+}
+export async function runAuditStep(options) {
+    const bundle = await loadArtifactBundle(options.artifactsDir);
+    const runLogger = new RunLogger(join(options.artifactsDir, "run.log.jsonl"), {
+        enabled: options.runLog ?? true,
+    });
+    const lineIndex = bundle.repo_manifest
+        ? await buildLineIndex(options.root, bundle.repo_manifest)
+        : undefined;
+    const sizeIndex = bundle.repo_manifest
+        ? sizeIndexFromManifest(bundle.repo_manifest)
+        : undefined;
+    if (looksLikeCliFlag(options.auditResultsPath)) {
+        throw new Error(`Invalid audit results path '${options.auditResultsPath}'. This looks like a CLI flag rather than a file path.`);
+    }
+    const auditResults = options.auditResultsPath
+        ? await readJsonFile(options.auditResultsPath)
+        : undefined;
+    if (auditResults !== undefined) {
+        const issues = validateAuditResults(auditResults, bundle.audit_tasks ?? [], {
+            lineIndex,
+        });
+        const errors = issues.filter((issue) => issue.severity === "error");
+        const warnings = issues.filter((issue) => issue.severity === "warning");
+        if (warnings.length > 0) {
+            process.stderr.write(`audit-results validation: ${warnings.length} warning(s):\n` +
+                formatAuditResultIssues(warnings) +
+                "\n");
+        }
+        if (errors.length > 0) {
+            throw new Error(formatAuditResultValidationError(errors));
+        }
+    }
+    const runtimeValidationUpdates = options.runtimeUpdatesPath
+        ? await readJsonFile(options.runtimeUpdatesPath)
+        : undefined;
+    const externalAnalyzerResults = options.externalAnalyzerPath
+        ? await readJsonFile(options.externalAnalyzerPath)
+        : undefined;
+    const narrativeResults = options.narrativeResultsPath
+        ? await readJsonFile(options.narrativeResultsPath)
+        : undefined;
+    const edgeReasoningResults = options.edgeReasoningResultsPath
+        ? await readJsonFile(options.edgeReasoningResultsPath)
+        : undefined;
+    const result = await advanceAudit(bundle, {
+        root: options.root,
+        lineIndex,
+        sizeIndex,
+        auditResults: auditResults,
+        runtimeValidationUpdates,
+        externalAnalyzerResults,
+        narrativeResults,
+        edgeReasoningResults,
+        analyzers: options.analyzers,
+        graphLlmEdgeReasoning: options.graphLlmEdgeReasoning,
+        since: options.since,
+        preferredExecutor: options.preferredExecutor,
+        opentoken: options.opentoken,
+        runLogger,
+    });
+    await writeCoreArtifacts(options.artifactsDir, result.updated_bundle);
+    const archivedPendingResults = await maybeArchiveLegacyPendingResults(options.auditResultsPath);
+    if (archivedPendingResults) {
+        result.progress_summary +=
+            ` Archived legacy staging file to ${archivedPendingResults}.`;
+    }
+    return result;
+}
+export async function ingestBatchAuditResults(options) {
+    const batchFiles = await listBatchResultFiles(options.batchDir);
+    const artifactsWritten = new Set();
+    const progressSummaries = [];
+    let lastStep = null;
+    let anyProgress = false;
+    for (const batchFile of batchFiles) {
+        const step = await runAuditStep({
+            root: options.root,
+            artifactsDir: options.artifactsDir,
+            preferredExecutor: "result_ingestion_executor",
+            auditResultsPath: batchFile,
+        });
+        lastStep = step;
+        anyProgress ||= step.progress_made;
+        for (const artifact of step.artifacts_written) {
+            artifactsWritten.add(artifact);
+        }
+        progressSummaries.push(`${basename(batchFile)}: ${step.progress_summary}`);
+    }
+    const bundle = lastStep?.updated_bundle ??
+        (await loadArtifactBundle(options.artifactsDir));
+    const state = deriveAuditState(bundle);
+    const decision = decideNextStep(bundle);
+    return {
+        batchFiles,
+        bundle,
+        audit_state: state,
+        selected_obligation: lastStep?.selected_obligation ?? decision.selected_obligation,
+        selected_executor: lastStep?.selected_executor ?? "result_ingestion_executor",
+        progress_made: anyProgress,
+        artifacts_written: Array.from(artifactsWritten),
+        progress_summary: `Imported ${batchFiles.length} batch result file${batchFiles.length === 1 ? "" : "s"} from ${options.batchDir}.` +
+            (progressSummaries.length > 0
+                ? `\n${progressSummaries.join("\n")}`
+                : ""),
+        next_likely_step: state.status === "complete" ? null : decision.selected_obligation,
+    };
+}

package/dist/cli/envelope.d.ts

@@ -0,0 +1,47 @@
+import type { ArtifactBundle } from "../io/artifacts.js";
+import type { AuditState } from "../types/auditState.js";
+import { type AuditCodeHandoff, type ActiveReviewRun } from "../supervisor/operatorHandoff.js";
+export declare const ADVANCE_AUDIT_CONTRACT_VERSION = "audit-code/v1alpha1";
+export declare function buildEnvelope(params: {
+    audit_state: unknown;
+    selected_obligation: string | null;
+    selected_executor: string | null;
+    progress_made: boolean;
+    artifacts_written: string[];
+    progress_summary: string;
+    next_likely_step: string | null;
+    handoff: AuditCodeHandoff;
+}): {
+    contract_version: string;
+    audit_state: unknown;
+    selected_obligation: string | null;
+    selected_executor: string | null;
+    progress_made: boolean;
+    artifacts_written: string[];
+    progress_summary: string;
+    next_likely_step: string | null;
+    handoff: AuditCodeHandoff;
+};
+export declare function emitEnvelope(params: {
+    root: string;
+    artifactsDir: string;
+    bundle: ArtifactBundle;
+    audit_state: AuditState;
+    selected_obligation: string | null;
+    selected_executor: string | null;
+    progress_made: boolean;
+    artifacts_written: string[];
+    progress_summary: string;
+    next_likely_step: string | null;
+    providerName?: string | null;
+    isConfigError?: boolean;
+    activeReviewRun?: ActiveReviewRun;
+}): Promise<void>;
+export declare function buildManualReviewBlocker(providerName: string): string;
+export declare function shouldRunInlineExecutor(selectedExecutor: string | null): boolean;
+export declare function buildBlockedAuditState(params: {
+    state: AuditState;
+    obligationId: string | null;
+    executor: string | null;
+    blocker: string;
+}): AuditState;

package/dist/cli/envelope.js

@@ -0,0 +1,64 @@
+import { LOCAL_SUBPROCESS_PROVIDER_NAME } from "../providers/constants.js";
+import { buildAuditCodeHandoff, writeAuditCodeHandoffArtifacts, } from "../supervisor/operatorHandoff.js";
+export const ADVANCE_AUDIT_CONTRACT_VERSION = "audit-code/v1alpha1";
+export function buildEnvelope(params) {
+    return {
+        contract_version: ADVANCE_AUDIT_CONTRACT_VERSION,
+        audit_state: params.audit_state,
+        selected_obligation: params.selected_obligation,
+        selected_executor: params.selected_executor,
+        progress_made: params.progress_made,
+        artifacts_written: params.artifacts_written,
+        progress_summary: params.progress_summary,
+        next_likely_step: params.next_likely_step,
+        handoff: params.handoff,
+    };
+}
+export async function emitEnvelope(params) {
+    const handoff = buildAuditCodeHandoff({
+        root: params.root,
+        artifactsDir: params.artifactsDir,
+        state: params.audit_state,
+        bundle: params.bundle,
+        providerName: params.providerName,
+        progressSummary: params.progress_summary,
+        isConfigError: params.isConfigError,
+        activeReviewRun: params.activeReviewRun,
+    });
+    await writeAuditCodeHandoffArtifacts(handoff);
+    console.log(JSON.stringify(buildEnvelope({
+        audit_state: params.audit_state,
+        selected_obligation: params.selected_obligation,
+        selected_executor: params.selected_executor,
+        progress_made: params.progress_made,
+        artifacts_written: params.artifacts_written,
+        progress_summary: params.progress_summary,
+        next_likely_step: params.next_likely_step,
+        handoff,
+    }), null, 2));
+}
+export function buildManualReviewBlocker(providerName) {
+    return providerName === LOCAL_SUBPROCESS_PROVIDER_NAME
+        ? "Ready for LLM semantic review. If the host exposes a callable subagent tool, prepare dispatch and fan out packets. " +
+            "If not, use single-task fallback: review only the first pending task, write one AuditResult to the run audit-results path, execute worker_command, then stop."
+        : "Audit blocked: waiting for manual audit results or interactive provider configuration.";
+}
+export function shouldRunInlineExecutor(selectedExecutor) {
+    return selectedExecutor !== null && selectedExecutor !== "agent";
+}
+export function buildBlockedAuditState(params) {
+    return {
+        ...params.state,
+        status: "blocked",
+        last_executor: params.executor ?? params.state.last_executor,
+        last_obligation: params.obligationId ?? params.state.last_obligation,
+        blockers: [...new Set([...(params.state.blockers ?? []), params.blocker])],
+        obligations: params.state.obligations.map((item) => item.id === params.obligationId
+            ? {
+                ...item,
+                state: "blocked",
+                reason: params.blocker,
+            }
+            : item),
+    };
+}

package/dist/cli/reviewRun.d.ts

@@ -0,0 +1,29 @@
+import { type ArtifactBundle } from "../io/artifacts.js";
+import type { AuditState } from "../types/auditState.js";
+import type { WorkerTask } from "../types/workerSession.js";
+import { type ActiveReviewRun } from "../supervisor/operatorHandoff.js";
+export declare function activeReviewRunFromTask(artifactsDir: string, task: WorkerTask): ActiveReviewRun | null;
+export declare function loadCurrentActiveReviewRun(artifactsDir: string): Promise<ActiveReviewRun | null>;
+export declare function writeHandoffOnly(params: {
+    root: string;
+    artifactsDir: string;
+    bundle: ArtifactBundle;
+    audit_state: AuditState;
+    progress_summary: string;
+    providerName?: string | null;
+    isConfigError?: boolean;
+    activeReviewRun?: ActiveReviewRun;
+}): Promise<void>;
+export declare function ensureSemanticReviewRun(params: {
+    root: string;
+    artifactsDir: string;
+    bundle: ArtifactBundle;
+    state: AuditState;
+    obligationId: string | null;
+    selfCliPath: string;
+    timeoutMs: number;
+}): Promise<{
+    state: AuditState;
+    bundle: ArtifactBundle;
+    activeReviewRun: ActiveReviewRun;
+}>;

package/dist/cli/reviewRun.js

@@ -0,0 +1,143 @@
+import { join } from "node:path";
+import { isFileMissingError, readJsonFile, writeJsonFile } from "@audit-tools/shared";
+import { writeCoreArtifacts } from "../io/artifacts.js";
+import { buildRunId, getRunPaths, writeWorkerTaskFiles, } from "../io/runArtifacts.js";
+import { renderWorkerPrompt } from "../prompts/renderWorkerPrompt.js";
+import { buildAuditCodeHandoff, writeAuditCodeHandoffArtifacts, } from "../supervisor/operatorHandoff.js";
+import { LOCAL_SUBPROCESS_PROVIDER_NAME } from "../providers/constants.js";
+import { addFileLineCountHints } from "./lineIndex.js";
+import { buildPendingAuditTasks } from "./dispatch.js";
+import { buildBlockedAuditState, buildManualReviewBlocker } from "./envelope.js";
+export function activeReviewRunFromTask(artifactsDir, task) {
+    if (task.preferred_executor !== "agent" || !task.audit_results_path) {
+        return null;
+    }
+    const paths = getRunPaths(artifactsDir, task.run_id);
+    return {
+        run_id: task.run_id,
+        task_path: paths.taskPath,
+        prompt_path: paths.promptPath,
+        pending_audit_tasks_path: task.pending_audit_tasks_path,
+        audit_results_path: task.audit_results_path,
+        worker_command: task.worker_command,
+    };
+}
+export async function loadCurrentActiveReviewRun(artifactsDir) {
+    try {
+        const task = await readJsonFile(join(artifactsDir, "dispatch", "current-task.json"));
+        return activeReviewRunFromTask(artifactsDir, task);
+    }
+    catch (error) {
+        if (isFileMissingError(error)) {
+            return null;
+        }
+        throw error;
+    }
+}
+export async function writeHandoffOnly(params) {
+    const handoff = buildAuditCodeHandoff({
+        root: params.root,
+        artifactsDir: params.artifactsDir,
+        state: params.audit_state,
+        bundle: params.bundle,
+        providerName: params.providerName,
+        progressSummary: params.progress_summary,
+        isConfigError: params.isConfigError,
+        activeReviewRun: params.activeReviewRun,
+    });
+    await writeAuditCodeHandoffArtifacts(handoff);
+}
+export async function ensureSemanticReviewRun(params) {
+    const existingRun = await loadCurrentActiveReviewRun(params.artifactsDir);
+    if (existingRun) {
+        const blockedState = params.bundle.audit_state?.status === "blocked"
+            ? params.bundle.audit_state
+            : buildBlockedAuditState({
+                state: params.state,
+                obligationId: params.obligationId,
+                executor: "agent",
+                blocker: buildManualReviewBlocker(LOCAL_SUBPROCESS_PROVIDER_NAME),
+            });
+        const blockedBundle = { ...params.bundle, audit_state: blockedState };
+        await writeCoreArtifacts(params.artifactsDir, blockedBundle);
+        await writeHandoffOnly({
+            root: params.root,
+            artifactsDir: params.artifactsDir,
+            bundle: blockedBundle,
+            audit_state: blockedState,
+            progress_summary: buildManualReviewBlocker(LOCAL_SUBPROCESS_PROVIDER_NAME),
+            providerName: LOCAL_SUBPROCESS_PROVIDER_NAME,
+            activeReviewRun: existingRun,
+        });
+        return {
+            state: blockedState,
+            bundle: blockedBundle,
+            activeReviewRun: existingRun,
+        };
+    }
+    const blockedState = buildBlockedAuditState({
+        state: params.state,
+        obligationId: params.obligationId,
+        executor: "agent",
+        blocker: buildManualReviewBlocker(LOCAL_SUBPROCESS_PROVIDER_NAME),
+    });
+    await writeCoreArtifacts(params.artifactsDir, {
+        ...params.bundle,
+        audit_state: blockedState,
+    });
+    const runId = buildRunId(params.obligationId, 1);
+    const paths = getRunPaths(params.artifactsDir, runId);
+    const pendingTasks = await addFileLineCountHints(params.root, buildPendingAuditTasks(params.bundle));
+    const pendingTasksPath = join(paths.runDir, "pending-audit-tasks.json");
+    const auditResultsPath = join(paths.runDir, "audit-results.json");
+    const taskReadPaths = new Set();
+    for (const pt of pendingTasks) {
+        for (const fp of pt.file_paths)
+            taskReadPaths.add(fp);
+    }
+    const task = {
+        contract_version: "audit-code-worker/v1alpha1",
+        run_id: runId,
+        repo_root: params.root,
+        artifacts_dir: params.artifactsDir,
+        obligation_id: params.obligationId,
+        preferred_executor: "agent",
+        result_path: paths.resultPath,
+        worker_command: [
+            process.execPath,
+            params.selfCliPath,
+            "worker-run",
+            "--task",
+            paths.taskPath,
+        ],
+        audit_results_path: auditResultsPath,
+        pending_audit_tasks_path: pendingTasksPath,
+        timeout_ms: params.timeoutMs,
+        max_retries: 0,
+        access: {
+            read_paths: [...taskReadPaths],
+            write_paths: [auditResultsPath, paths.resultPath],
+        },
+    };
+    const prompt = renderWorkerPrompt(task);
+    await writeWorkerTaskFiles(task, prompt, paths, params.artifactsDir, pendingTasks);
+    await writeJsonFile(pendingTasksPath, pendingTasks);
+    const activeReviewRun = activeReviewRunFromTask(params.artifactsDir, task);
+    if (!activeReviewRun) {
+        throw new Error("Internal error: failed to materialize active review run.");
+    }
+    const blockedBundle = {
+        ...params.bundle,
+        audit_state: blockedState,
+    };
+    await writeHandoffOnly({
+        root: params.root,
+        artifactsDir: params.artifactsDir,
+        bundle: blockedBundle,
+        audit_state: blockedState,
+        progress_summary: buildManualReviewBlocker(LOCAL_SUBPROCESS_PROVIDER_NAME),
+        providerName: LOCAL_SUBPROCESS_PROVIDER_NAME,
+        activeReviewRun,
+    });
+    return { state: blockedState, bundle: blockedBundle, activeReviewRun };
+}