auditor-lambda 0.7.0 → 0.8.0

package/schemas/audit_findings.schema.json

@@ -45,7 +45,8 @@
           "confidence",
           "lens",
           "summary",
-          "affected_files"
+          "affected_files",
+          "evidence"
         ],
         "properties": {
           "id": { "type": "string" },
@@ -76,7 +77,7 @@
           },
           "impact": { "type": "string" },
           "likelihood": { "type": "string" },
-          "evidence": { "type": "array", "items": { "type": "string" } },
+          "evidence": { "type": "array", "minItems": 1, "items": { "type": "string" } },
           "reproduction": { "type": "array", "items": { "type": "string" } },
           "systemic": { "type": "boolean" },
           "related_findings": { "type": "array", "items": { "type": "string" } },

package/schemas/dispatch_quota.schema.json

@@ -101,6 +101,7 @@
     "quota_source_snapshot": {
       "type": ["object", "null"],
       "description": "Real-time usage snapshot from a QuotaSource, if available.",
+      "additionalProperties": false,
       "properties": {
         "remaining_pct": { "type": ["number", "null"] },
         "reset_at": { "type": ["string", "null"], "format": "date-time" },
@@ -113,6 +114,7 @@
     "backoff_state": {
       "type": ["object", "null"],
       "description": "Exponential backoff state for repeated rate-limit errors.",
+      "additionalProperties": false,
       "properties": {
         "consecutive_429_count": { "type": "integer", "minimum": 0 },
         "current_cooldown_ms": { "type": "integer", "minimum": 0 },

package/schemas/external_analyzer_results.schema.json

@@ -58,8 +58,8 @@
             "enum": ["critical", "high", "medium", "low", "info"]
           },
           "path": { "type": "string" },
-          "line_start": { "type": "integer" },
-          "line_end": { "type": "integer" },
+          "line_start": { "type": "integer", "minimum": 1 },
+          "line_end": { "type": "integer", "minimum": 1 },
           "summary": { "type": "string" },
           "rule": { "type": "string" },
           "raw": {}

package/schemas/repo_manifest.schema.json

@@ -15,7 +15,7 @@
       },
       "additionalProperties": false
     },
-    "generated_at": { "type": "string" },
+    "generated_at": { "type": "string", "format": "date-time" },
     "files": {
       "type": "array",
       "items": {

package/docs/handoff.md

@@ -1,204 +0,0 @@
-# Handoff
-
-Current pickup note for the next implementation agent. Keep durable product
-direction in `docs/product.md`, engineering workflow in `docs/development.md`,
-contracts in `docs/contracts.md`, and operator steps in
-`docs/operator-guide.md`.
-
-## Current State
-
-The docs refresh remains consolidated under `docs/`; do not restore old
-phase-specific docs unless asked. Checked-in `dist/` is expected to be rebuilt
-after TypeScript changes.
-
-Graph-informed packetization is in place and observable through
-`review_packets.json` and `audit_plan_metrics.json`: packet entrypoints,
-key edges, boundary files, quality, merge/boundary edge kinds, weak packet
-counts, gap counts, extension counts, and bounded samples are all emitted.
-
-Latest completed slice:
-
-- completed the remediator-lambda audit end-to-end after refreshing stale
-  artifacts:
-  - `run-to-completion` refreshed file disposition, auto-fix, structure,
-    planning, runtime validation, and synthesis
-  - resolved all additional runtime/selective-deepening handoffs; final
-    `audit_tasks.json` had 81 tasks, all complete, 0 pending
-  - fixed target-side Windows/runtime validation noise in remediator-lambda:
-    `src/phases/plan.ts` no longer invokes `npx vitest`/`npx jest` in temp
-    roots without `package.json`; `tests/phase-plan.test.ts` has a longer
-    cleanup retry/hook timeout; `vitest.config.ts` excludes generated
-    audit/provider directories from test discovery
-  - `npm test` in `C:\Code\remediator-lambda` now passes: 5 test files,
-    51 tests
-  - final synthesis promoted `C:\Code\remediator-lambda\audit-report.md`
-    (47 findings, 16 work blocks), and `.audit-artifacts` was cleaned by
-    completion
-  - `node C:\Code\auditor-lambda\dist\index.js validate --root
-    C:\Code\remediator-lambda --artifacts-dir
-    C:\Code\remediator-lambda\.audit-artifacts` reports `issue_count: 0`
-
-Prior completed remediator slice:
-
-- completed the remediator-lambda final selective-deepening round:
-  - created dispatch run `20260509T180000000Z_audit_tasks_completed_002`
-    for the two remaining pending tasks
-  - submitted packet
-    `lens-steward-security:security-reliability:packet-1-cfa943527d`;
-    accepted 2 result entries, `finding_count: 0`
-  - `merge-and-ingest` accepted 2 result entries, rejected 0,
-    `spurious_file_count: 0`, `finding_count: 0`
-  - `audit_tasks.json` now has 73 tasks, all `complete`, 0 pending
-  - `audit-code validate` on the remediator artifact bundle reports
-    `issue_count: 0`
-
-Prior completed implementation slice:
-
-- fixed `merge-and-ingest` to treat unexpected files in `task-results/` as
-  warnings rather than hard failures; subagents sometimes write a spurious
-  packet-level result file alongside per-task `submit-packet` submissions —
-  the unexpected file check now emits a stderr warning and increments
-  `spurious_file_count` in the output JSON, but does not block ingestion when
-  all backend-assigned result files are present and valid
-- added regression test: `merge-and-ingest proceeds despite unexpected files
-  in task-results/`; test count: 199 passing
-- fixed Windows `EBUSY` test cleanup in `remediator-lambda/tests/phase-plan.test.ts`:
-  `enumerateTestFiles` calls `spawnSync("npx vitest ...")` in the temp dir;
-  on Windows the child process handle lingers briefly after return, causing
-  `rm()` in `afterEach` to EBUSY; added `rmWithRetry` (5 attempts, 100ms×n
-  backoff) used in both `beforeEach` and `afterEach`; remediator-lambda now
-  passes all 153 tests cleanly
-
-Prior completed slice:
-
-- added `python-test-util-suite-link` edges: `.py` files co-located in a
-  `utils/`, `helpers/`, or `support/` subdirectory within an `isTestPath`
-  directory are chained as a suite (same bounded-suite pattern as existing
-  TypeScript type / JSON schema / package-script suites); `conftest.py` is
-  excluded from the predicate
-- confidence: `0.72`; direction: `undirected`
-- added 3 focused unit tests; rebuilt checked-in `dist/`
-
-Field evidence (Polar-CV-KAN):
-
-- canonical run: `.audit-artifacts/polar-python-util-suite-20260509`
-  (7 packets, 1.000 cohesion, 2 weak packets)
-- `python-test-util-suite-link` produces 2 intra-unit edges within the
-  `tests-utils` packet (`assertions.py → mocks.py`, `mocks.py → test_data.py`)
-- `tests-utils` packet: `internal_edge_count` 0 → 2; `cohesion_score` 0 → 1;
-  `unexplained_file_count` 3 → 0; no longer a weak packet
-- Polar metrics: 7 packets, **1.000 cohesion** (up from 0.857), **2 weak
-  packets** (down from 3)
-- 2 remaining weak packets are `unexplained_files` type; genuinely isolated
-  files (`.auditorignore`, `experiments/domains/__init__.py`,
-  `experiments/summarize_results.py`) cannot be linked without false positives
-
-Field evidence (remediator-lambda):
-
-- baseline: `.audit-artifacts/remediator-yaml-refs-20260508`
-- remediator metrics stable: 62 tasks, 3 packets, 1.000 cohesion, 0 weak
-  packets; `python-test-util-suite-link` adds 0 edges (TypeScript repo, no
-  `.py` files)
-- remediator full audit loop completed: `.audit-artifacts/` (in-progress run
-  `20260509T153435008Z_audit_tasks_completed_006` + deepening run
-  `20260509T155225210Z_audit_tasks_completed_001`); first round produced 42
-  findings across 65 tasks; deepening round added 4 findings across 6 tasks
-- remediator deepening `merge-and-ingest` retry succeeded after the spurious
-  file fix:
-  - command used:
-    `node C:\Code\auditor-lambda\dist\index.js merge-and-ingest --run-id 20260509T155225210Z_audit_tasks_completed_001 --root C:\Code\remediator-lambda --artifacts-dir C:\Code\remediator-lambda\.audit-artifacts`
-  - accepted 6 result entries, rejected 0, `spurious_file_count: 1`,
-    `finding_count: 4`
-  - result ingestion progressed and added 2 selective deepening tasks
-- current remediator artifact state after retry: `audit_results_ingested`
-  present, `audit_tasks_completed` satisfied, `requeue_tasks.json` empty,
-  `audit_tasks.json` has 73 tasks with 0 pending after final selective
-  deepening run `20260509T180000000Z_audit_tasks_completed_002`
-- final selective deepening verified the existing `src/types/workerSession.ts`
-  security findings and upheld the reliability no-finding result for
-  `src/types/sessionConfig.ts`, `src/types/workerResult.ts`, and
-  `src/types/workerSession.ts`; it added 0 findings
-- current remediator packet metrics: 73 tasks, 3 packets, 1.000 cohesion,
-  1 weak packet with 1 unexplained file
-- final refreshed remediator audit completed with 81 tasks, all complete, and
-  final `audit-report.md` at repo root. Runtime validation was confirmed after
-  excluding generated audit/provider directories from Vitest discovery; the
-  earlier `EBUSY` output was environmental noise from generated worktrees.
-
-## Verification
-
-Completed:
-
-```bash
-npm run build
-npm test   # 199 passing
-node C:\Code\auditor-lambda\dist\index.js merge-and-ingest --run-id 20260509T180000000Z_audit_tasks_completed_002 --root C:\Code\remediator-lambda --artifacts-dir C:\Code\remediator-lambda\.audit-artifacts
-node C:\Code\auditor-lambda\dist\index.js validate --root C:\Code\remediator-lambda --artifacts-dir C:\Code\remediator-lambda\.audit-artifacts
-npm test   # in C:\Code\remediator-lambda, 51 passing
-node C:\Code\auditor-lambda\dist\index.js run-to-completion --root C:\Code\remediator-lambda --artifacts-dir C:\Code\remediator-lambda\.audit-artifacts --max-runs 10
-node C:\Code\auditor-lambda\dist\index.js validate --root C:\Code\remediator-lambda --artifacts-dir C:\Code\remediator-lambda\.audit-artifacts
-```
-
-## Files Touched Recently
-
-- `src/cli.ts` — `cmdMergeAndIngest`: unexpected files → warning, not failure
-- `tests/audit-code-wrapper.test.mjs` — new regression test
-- `dist/` — rebuilt
-- `C:\Code\remediator-lambda\src\phases\plan.ts` — avoid test-runner
-  enumeration in roots without `package.json`
-- `C:\Code\remediator-lambda\tests\phase-plan.test.ts` — sturdier
-  `rmWithRetry` helper and longer hook timeout
-- `C:\Code\remediator-lambda\vitest.config.ts` — exclude generated
-  audit/provider directories from test discovery
-- `C:\Code\remediator-lambda\audit-report.md` — final promoted report
-- `docs/handoff.md`
-
-## Next Steps
-
-1. The 2 remaining weak packets in Polar (`experiments-domains` with 5
-   unexplained files, `tests-tiny-files` with 3 unexplained files) share the
-   same genuinely isolated files (`.auditorignore`,
-   `experiments/domains/__init__.py`, `experiments/summarize_results.py`).
-   No extractor can address these without false positives; treat as floor.
-   Only revisit if a future field trial on a different repo surfaces the same
-   pattern in fixable form.
-2. Remediator-lambda field trial is closed. Review the final
-   `C:\Code\remediator-lambda\audit-report.md` only if you need product
-   remediation planning; no audit-code backend work remains for that run.
-3. Run the release/publish flow only when intentionally cutting a version.
-
-## Cautions
-
-- `AuditTask` remains the deterministic coverage identity; `ReviewPacket`
-  should not replace result ingestion contracts.
-- Weak graph edges, semantic affinity, and shared token frequency should remain
-  context unless deterministic graph evidence corroborates them.
-- Boundary files are evidence hints. Worker prompts should continue to
-  discourage broad reads outside the packet.
-- Keep suite links bounded and evidence-led; do not turn same-directory
-  proximity into a broad packet merge rule.
-- `conftest-link` fires only when conftest.py is inside a `isTestPath`
-  directory; root-level conftest.py is deliberately excluded to avoid O(n)
-  fan-out to all Python files.
-- `yaml-path-reference-link` only matches string values ending in config
-  extensions (`.yaml`, `.yml`, `.json`, `.toml`) that resolve to an existing
-  file in the repo; absolute URLs and values without `/` are excluded.
-- `python-test-util-suite-link` predicate requires all four conditions: `.py`
-  extension, NOT a conftest, parent dir name in `{utils, helpers, support}`,
-  and the parent dir's normalized path passes `isTestPath`. Do not broaden the
-  dir-name set without field evidence from a real repository.
-- `python-test-util-suite-link` edges appear as intra-unit edges (not counted
-  in `merge_edge_kind_counts`) when all suite files belong to the same unit.
-  This is correct — the edges still increment `internal_edge_count` and clear
-  the weak-packet flag. Absence from merge counts does not mean the edges are
-  inactive.
-- `merge-and-ingest` unexpected files now warn to stderr and increment
-  `spurious_file_count` in the output JSON. They do not cause ingestion to
-  fail. The check is still present to make spurious writes visible.
-- In this sandbox, running the wrapper from `C:\Code\auditor-lambda` with an
-  absolute remediator root hit an `EPERM` while overwriting the existing
-  remediator run `audit-results.json`; invoking the built CLI directly from
-  `C:\Code\remediator-lambda` succeeded. Treat this as an execution-environment
-  wrinkle unless it reproduces outside the sandbox.
-- Final remediator completion cleaned `.audit-artifacts`; use the promoted
-  repo-root `audit-report.md` and `validate` output as the source of truth.