auditor-lambda 0.7.0 → 0.9.0

package/dist/orchestrator/runtimeCommand.d.ts

@@ -0,0 +1,11 @@
+export declare function runCommand(command: string[], cwd: string, options?: {
+    opentoken?: boolean;
+}): Promise<{
+    status: "confirmed" | "not_confirmed" | "inconclusive";
+    summary: string;
+    evidence: string[];
+}>;
+export declare function resolveRuntimeValidationSpawnCommand(command: string[], platform?: NodeJS.Platform, shellCommand?: string): {
+    command: string;
+    args: string[];
+};

package/dist/orchestrator/runtimeCommand.js

@@ -0,0 +1,71 @@
+import { spawn } from "node:child_process";
+import { quoteForOpenTokenCmd, wrapForOpenToken } from "@audit-tools/shared";
+// Deterministic runtime-validation command execution: resolve a command to a
+// platform-correct spawn invocation (Windows package-manager shims need a
+// cmd.exe wrapper), optionally wrap it for opentoken accounting, and run it
+// capturing a confirmed/not_confirmed/inconclusive outcome. Hoisted out of
+// internalExecutors.ts as a shared, side-effect-only helper module.
+//
+// The cmd.exe quoting (both for the opentoken wrap and the package-manager
+// batch path) reuses the canonical exec.ts helpers so the safe-character set
+// stays unified — the two formerly-private copies here diverged on `@`.
+function resolveOpentokenWrap(resolved, platform = process.platform) {
+    return wrapForOpenToken(resolved.command, resolved.args, "opentoken", platform);
+}
+export async function runCommand(command, cwd, options = {}) {
+    let spawnCommand = resolveRuntimeValidationSpawnCommand(command);
+    if (options.opentoken) {
+        spawnCommand = resolveOpentokenWrap(spawnCommand);
+    }
+    const displayCommand = command.join(" ");
+    return await new Promise((resolve) => {
+        const child = spawn(spawnCommand.command, spawnCommand.args, {
+            cwd,
+            env: process.env,
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        let stdout = "";
+        let stderr = "";
+        child.stdout.on("data", (chunk) => {
+            stdout += String(chunk);
+        });
+        child.stderr.on("data", (chunk) => {
+            stderr += String(chunk);
+        });
+        child.on("error", (error) => {
+            resolve({
+                status: "inconclusive",
+                summary: `Failed to execute ${displayCommand}: ${error.message}`,
+                evidence: [],
+            });
+        });
+        child.on("exit", (code) => {
+            const output = `${stdout}\n${stderr}`.trim();
+            const evidence = output.length > 0 ? output.split(/\r?\n/).slice(-10) : [];
+            resolve({
+                status: code === 0 ? "confirmed" : "not_confirmed",
+                summary: code === 0
+                    ? `Deterministic runtime command succeeded: ${displayCommand}`
+                    : `Deterministic runtime command failed with exit code ${code}: ${displayCommand}`,
+                evidence,
+            });
+        });
+    });
+}
+export function resolveRuntimeValidationSpawnCommand(command, platform = process.platform, shellCommand = process.env.ComSpec ?? "cmd.exe") {
+    const [executable, ...args] = command;
+    if (!executable) {
+        return { command: "", args: [] };
+    }
+    if (platform !== "win32") {
+        return { command: executable, args };
+    }
+    const packageManager = executable.replace(/\.(cmd|bat)$/i, "").toLowerCase();
+    if (["npm", "npx", "pnpm", "yarn"].includes(packageManager)) {
+        return {
+            command: shellCommand,
+            args: ["/d", "/s", "/c", command.map(quoteForOpenTokenCmd).join(" ")],
+        };
+    }
+    return { command: executable, args };
+}

package/dist/orchestrator/scope.js

@@ -1,7 +1,7 @@
 import { changedFiles, gitRefExists, isGitRepo } from "@audit-tools/shared";
 import { buildDispositionMap } from "../extractors/disposition.js";
 import { buildPathLookup } from "../extractors/graph.js";
-import { HIGH_FAN_DEGREE_THRESHOLD, buildGraphDegreeIndex, collectGraphEdges, graphEdgeConfidence, normalizeGraphPath, } from "./reviewPackets.js";
+import { HIGH_FAN_DEGREE_THRESHOLD, buildGraphDegreeIndex, collectGraphEdges, graphEdgeConfidence, normalizeGraphPath, } from "./reviewPacketGraph.js";
 /** Default cap on in-scope files (seeds + expanded) before expansion stops. */
 export const DEFAULT_SCOPE_MAX_FILES = 200;
 /** Graph edges below this confidence are never traversed during expansion. */

package/dist/orchestrator/selectiveDeepening/conflict.d.ts

@@ -0,0 +1,8 @@
+import type { AuditTask } from "../../types.js";
+import { type FindingContext } from "./shared.js";
+export declare function buildConflictFollowupTask(params: {
+    contexts: FindingContext[];
+    conflictKey: string;
+    lineIndex?: Record<string, number>;
+}): AuditTask;
+export declare function conflictGroups(contexts: FindingContext[]): Map<string, FindingContext[]>;

package/dist/orchestrator/selectiveDeepening/conflict.js

@@ -0,0 +1,71 @@
+import { CONFIDENCE_RANK, DEEPENING_TAG, SEVERITY_RANK, lineCountForPath, sanitizeSegment, taskIdFor, uniqueSorted, } from "./shared.js";
+export function buildConflictFollowupTask(params) {
+    const [first] = params.contexts;
+    const paths = uniqueSorted(params.contexts.flatMap((context) => context.paths));
+    const maxSeverity = Math.max(...params.contexts.map((context) => SEVERITY_RANK[context.finding.severity]));
+    const lineSources = new Map();
+    for (const context of params.contexts) {
+        for (const path of context.paths) {
+            if (!lineSources.has(path)) {
+                lineSources.set(path, { task: context.task, result: context.result });
+            }
+        }
+    }
+    const sourceTaskIds = uniqueSorted(params.contexts.map((context) => context.result.task_id));
+    const findingIds = uniqueSorted(params.contexts.map((context) => context.finding.id));
+    return {
+        task_id: taskIdFor("conflict", [
+            params.conflictKey,
+            ...sourceTaskIds,
+            ...findingIds,
+        ]),
+        unit_id: first?.result.unit_id ?? "selective-deepening",
+        pass_id: `deepening:${first?.result.pass_id ?? "conflict"}`,
+        lens: (first?.result.lens ?? "correctness"),
+        file_paths: paths,
+        file_line_counts: Object.fromEntries(paths.map((path) => {
+            const source = lineSources.get(path);
+            return [
+                path,
+                source
+                    ? lineCountForPath(path, source.task, source.result, params.lineIndex)
+                    : (params.lineIndex?.[path] ?? 0),
+            ];
+        })),
+        rationale: `Reconcile conflicting audit output for ${params.conflictKey}. ` +
+            `Compare source tasks ${sourceTaskIds.join(", ")} and decide the correct severity, confidence, and evidence-backed conclusion.`,
+        priority: maxSeverity >= SEVERITY_RANK.high ? "high" : "medium",
+        tags: [
+            DEEPENING_TAG,
+            "trigger:conflicting_output",
+            ...sourceTaskIds.slice(0, 3).map((id) => `source_task:${sanitizeSegment(id)}`),
+        ],
+        status: "pending",
+    };
+}
+export function conflictGroups(contexts) {
+    const groups = new Map();
+    for (const context of contexts) {
+        for (const path of context.paths) {
+            const key = [
+                context.result.lens,
+                context.finding.category,
+                path.toLowerCase(),
+            ].join(":");
+            const group = groups.get(key) ?? [];
+            group.push(context);
+            groups.set(key, group);
+        }
+    }
+    for (const [key, group] of groups) {
+        const uniqueTasks = new Set(group.map((context) => context.result.task_id));
+        const severities = group.map((context) => SEVERITY_RANK[context.finding.severity]);
+        const confidences = group.map((context) => CONFIDENCE_RANK[context.finding.confidence]);
+        const severitySpread = Math.max(...severities) - Math.min(...severities);
+        const confidenceSpread = Math.max(...confidences) - Math.min(...confidences);
+        if (uniqueTasks.size < 2 || (severitySpread < 2 && confidenceSpread < 2)) {
+            groups.delete(key);
+        }
+    }
+    return groups;
+}

package/dist/orchestrator/selectiveDeepening/findingFollowup.d.ts

@@ -0,0 +1,10 @@
+import type { AuditResult, AuditTask, Finding } from "../../types.js";
+import { type FindingContext } from "./shared.js";
+export declare function buildFindingFollowupTask(params: {
+    result: AuditResult;
+    task?: AuditTask;
+    finding: Finding;
+    triggers: string[];
+    lineIndex?: Record<string, number>;
+}): AuditTask;
+export declare function findingContexts(results: AuditResult[], taskById: Map<string, AuditTask>): FindingContext[];

package/dist/orchestrator/selectiveDeepening/findingFollowup.js

@@ -0,0 +1,52 @@
+import { DEEPENING_TAG, SEVERITY_RANK, isDeepeningTask, lineCountForPath, pathsForFinding, sanitizeSegment, taskIdFor, } from "./shared.js";
+export function buildFindingFollowupTask(params) {
+    const paths = pathsForFinding(params.finding, params.result, params.task);
+    const triggerLabel = params.triggers.join("+");
+    const taskId = taskIdFor("finding", [
+        params.result.task_id,
+        params.finding.id,
+        triggerLabel,
+    ]);
+    const priority = SEVERITY_RANK[params.finding.severity] >= SEVERITY_RANK.high
+        ? "high"
+        : "medium";
+    return {
+        task_id: taskId,
+        unit_id: params.result.unit_id,
+        pass_id: `deepening:${params.result.pass_id}`,
+        lens: params.result.lens,
+        file_paths: paths,
+        file_line_counts: Object.fromEntries(paths.map((path) => [
+            path,
+            lineCountForPath(path, params.task, params.result, params.lineIndex),
+        ])),
+        rationale: `Follow up on ${params.finding.id} (${params.finding.severity}/${params.finding.confidence}) from ${params.result.task_id}. ` +
+            "Verify impact, evidence quality, affected scope, and whether the finding should stand, narrow, or be downgraded.",
+        priority,
+        tags: [
+            DEEPENING_TAG,
+            ...params.triggers.map((trigger) => `trigger:${trigger}`),
+            `source_task:${sanitizeSegment(params.result.task_id)}`,
+            `finding:${sanitizeSegment(params.finding.id)}`,
+        ],
+        status: "pending",
+    };
+}
+export function findingContexts(results, taskById) {
+    const contexts = [];
+    for (const result of results) {
+        const task = taskById.get(result.task_id);
+        if (isDeepeningTask(task)) {
+            continue;
+        }
+        for (const finding of result.findings) {
+            contexts.push({
+                result,
+                task,
+                finding,
+                paths: pathsForFinding(finding, result, task),
+            });
+        }
+    }
+    return contexts;
+}

package/dist/orchestrator/selectiveDeepening/highRiskClean.d.ts

@@ -0,0 +1,7 @@
+import type { AuditResult, AuditTask } from "../../types.js";
+export declare function isHighRiskCleanResult(result: AuditResult, task: AuditTask | undefined): boolean;
+export declare function buildHighRiskCleanFollowupTask(params: {
+    result: AuditResult;
+    task?: AuditTask;
+    lineIndex?: Record<string, number>;
+}): AuditTask;

package/dist/orchestrator/selectiveDeepening/highRiskClean.js

@@ -0,0 +1,44 @@
+import { DEEPENING_TAG, isDeepeningTask, lineCountForPath, sanitizeSegment, taskIdFor, uniqueSorted, } from "./shared.js";
+export function isHighRiskCleanResult(result, task) {
+    if (result.findings.length > 0 ||
+        result.requires_followup === false ||
+        isDeepeningTask(task)) {
+        return false;
+    }
+    if (!task) {
+        return (result.requires_followup === true &&
+            (result.lens === "security" || result.lens === "data_integrity"));
+    }
+    if (task.priority === "high") {
+        return true;
+    }
+    if (task.tags?.some((tag) => ["critical_flow", "external_analyzer_signal"].includes(tag))) {
+        return true;
+    }
+    return result.requires_followup === true && task.priority === "medium";
+}
+export function buildHighRiskCleanFollowupTask(params) {
+    const paths = uniqueSorted((params.task?.file_paths.length ?? 0) > 0
+        ? (params.task?.file_paths ?? [])
+        : params.result.file_coverage.map((coverage) => coverage.path));
+    return {
+        task_id: taskIdFor("clean", [params.result.task_id, params.result.lens]),
+        unit_id: params.result.unit_id,
+        pass_id: `deepening:${params.result.pass_id}`,
+        lens: params.result.lens,
+        file_paths: paths,
+        file_line_counts: Object.fromEntries(paths.map((path) => [
+            path,
+            lineCountForPath(path, params.task, params.result, params.lineIndex),
+        ])),
+        rationale: `Sample high-risk no-finding result from ${params.result.task_id}. ` +
+            "Re-review the assigned files for missed edge cases, hidden runtime failures, and whether the clean conclusion should stand.",
+        priority: params.task?.priority === "high" ? "high" : "medium",
+        tags: [
+            DEEPENING_TAG,
+            "trigger:high_risk_no_finding",
+            `source_task:${sanitizeSegment(params.result.task_id)}`,
+        ],
+        status: "pending",
+    };
+}

package/dist/orchestrator/selectiveDeepening/index.d.ts

@@ -0,0 +1,18 @@
+import type { AuditTask } from "../../types.js";
+import { type BuildSelectiveDeepeningTaskOptions } from "./shared.js";
+export type { BuildSelectiveDeepeningTaskOptions } from "./shared.js";
+/**
+ * Build the bounded set of selective-deepening follow-up tasks. Each strategy
+ * (finding-followup, conflict, steward-followup, runtime-validation, lens-
+ * verification, high-risk-clean) lives in its own module under this directory;
+ * this entry sequences them and enforces the shared budget (`effectiveMax`,
+ * `maxTotalDeepeningTasks`) and dedupe (via `pushIfNew`). Task ordering, caps,
+ * and dedupe are unchanged from the former single-file implementation.
+ */
+export declare function buildSelectiveDeepeningTasks(options: BuildSelectiveDeepeningTaskOptions): AuditTask[];
+export declare const selectiveDeepeningTestUtils: {
+    DEEPENING_TAG: string;
+    LENS_VERIFICATION_TAG: string;
+    LENS_VERIFICATION_FOLLOWUP_TAG: string;
+    DEFAULT_MAX_TOTAL_DEEPENING_TASKS: number;
+};

package/dist/orchestrator/selectiveDeepening/index.js

@@ -0,0 +1,128 @@
+import { DEFAULT_MAX_DEEPENING_TASKS, DEFAULT_MAX_TOTAL_DEEPENING_TASKS, DEEPENING_TAG, LENS_VERIFICATION_FOLLOWUP_TAG, LENS_VERIFICATION_TAG, SEVERITY_RANK, intersects, isDeepeningTask, priorityRank, } from "./shared.js";
+import { buildFindingFollowupTask, findingContexts } from "./findingFollowup.js";
+import { buildConflictFollowupTask, conflictGroups } from "./conflict.js";
+import { buildHighRiskCleanFollowupTask, isHighRiskCleanResult, } from "./highRiskClean.js";
+import { buildRuntimeValidationFollowupTask, runtimeResultNeedsFollowup, runtimeValidationHasStrongStaticFinding, } from "./runtimeValidation.js";
+import { buildLensVerificationTasks } from "./lensVerification.js";
+import { buildVerificationFollowupTasks } from "./stewardFollowup.js";
+/**
+ * Build the bounded set of selective-deepening follow-up tasks. Each strategy
+ * (finding-followup, conflict, steward-followup, runtime-validation, lens-
+ * verification, high-risk-clean) lives in its own module under this directory;
+ * this entry sequences them and enforces the shared budget (`effectiveMax`,
+ * `maxTotalDeepeningTasks`) and dedupe (via `pushIfNew`). Task ordering, caps,
+ * and dedupe are unchanged from the former single-file implementation.
+ */
+export function buildSelectiveDeepeningTasks(options) {
+    const taskById = new Map((options.existingTasks ?? []).map((task) => [task.task_id, task]));
+    const existingTasks = options.existingTasks ?? [];
+    const existingIds = new Set(taskById.keys());
+    const maxTasks = options.maxTasks ?? DEFAULT_MAX_DEEPENING_TASKS;
+    const maxTotalDeepeningTasks = options.maxTotalDeepeningTasks ?? DEFAULT_MAX_TOTAL_DEEPENING_TASKS;
+    const existingDeepeningCount = existingTasks.filter((task) => isDeepeningTask(task)).length;
+    if (existingDeepeningCount >= maxTotalDeepeningTasks) {
+        return [];
+    }
+    const remainingBudget = maxTotalDeepeningTasks - existingDeepeningCount;
+    const effectiveMax = Math.min(maxTasks, remainingBudget);
+    const created = [];
+    function pushIfNew(task) {
+        if (created.length >= effectiveMax || existingIds.has(task.task_id)) {
+            return;
+        }
+        existingIds.add(task.task_id);
+        created.push(task);
+    }
+    const contexts = findingContexts(options.results, taskById);
+    for (const context of contexts) {
+        const triggers = [];
+        if (SEVERITY_RANK[context.finding.severity] >= SEVERITY_RANK.high) {
+            triggers.push("high_severity");
+        }
+        if (context.finding.confidence === "low") {
+            triggers.push("low_confidence");
+        }
+        if (triggers.length === 0) {
+            continue;
+        }
+        pushIfNew(buildFindingFollowupTask({
+            result: context.result,
+            task: context.task,
+            finding: context.finding,
+            triggers,
+            lineIndex: options.lineIndex,
+        }));
+    }
+    for (const [key, group] of [...conflictGroups(contexts).entries()].sort(([a], [b]) => a.localeCompare(b))) {
+        pushIfNew(buildConflictFollowupTask({
+            contexts: group,
+            conflictKey: key,
+            lineIndex: options.lineIndex,
+        }));
+    }
+    for (const result of options.results) {
+        const task = taskById.get(result.task_id);
+        for (const followupTask of buildVerificationFollowupTasks({
+            result,
+            task,
+            lineIndex: options.lineIndex,
+        })) {
+            pushIfNew(followupTask);
+        }
+    }
+    const runtimeTaskById = new Map((options.runtimeValidationTasks?.tasks ?? []).map((task) => [
+        task.id,
+        task,
+    ]));
+    for (const result of [...(options.runtimeValidationReport?.results ?? [])].sort((a, b) => a.task_id.localeCompare(b.task_id))) {
+        if (!runtimeResultNeedsFollowup(result.status)) {
+            continue;
+        }
+        const runtimeTask = runtimeTaskById.get(result.task_id);
+        if (!runtimeTask || runtimeTask.target_paths.length === 0) {
+            continue;
+        }
+        if (runtimeValidationHasStrongStaticFinding(runtimeTask, contexts)) {
+            continue;
+        }
+        const relatedTasks = existingTasks.filter((task) => !isDeepeningTask(task) && intersects(task.file_paths, runtimeTask.target_paths));
+        pushIfNew(buildRuntimeValidationFollowupTask({
+            runtimeTask,
+            runtimeResultStatus: result.status,
+            relatedTasks,
+            results: options.results,
+            lineIndex: options.lineIndex,
+        }));
+    }
+    for (const task of buildLensVerificationTasks({
+        existingTasks,
+        results: options.results,
+        lineIndex: options.lineIndex,
+        externalAnalyzerResults: options.externalAnalyzerResults,
+    })) {
+        pushIfNew(task);
+    }
+    const cleanResults = options.results
+        .map((result) => ({ result, task: taskById.get(result.task_id) }))
+        .filter(({ result, task }) => isHighRiskCleanResult(result, task))
+        .sort((a, b) => {
+        const priorityDelta = priorityRank(b.task?.priority) - priorityRank(a.task?.priority);
+        if (priorityDelta !== 0)
+            return priorityDelta;
+        return a.result.task_id.localeCompare(b.result.task_id);
+    });
+    for (const { result, task } of cleanResults) {
+        pushIfNew(buildHighRiskCleanFollowupTask({
+            result,
+            task,
+            lineIndex: options.lineIndex,
+        }));
+    }
+    return created;
+}
+export const selectiveDeepeningTestUtils = {
+    DEEPENING_TAG,
+    LENS_VERIFICATION_TAG,
+    LENS_VERIFICATION_FOLLOWUP_TAG,
+    DEFAULT_MAX_TOTAL_DEEPENING_TASKS,
+};

package/dist/orchestrator/selectiveDeepening/lensVerification.d.ts

@@ -0,0 +1,12 @@
+import type { AuditResult, AuditTask } from "../../types.js";
+import type { ExternalAnalyzerResults } from "../../types/externalAnalyzer.js";
+export interface LensVerificationSource {
+    result: AuditResult;
+    task?: AuditTask;
+}
+export declare function buildLensVerificationTasks(params: {
+    existingTasks: AuditTask[];
+    results: AuditResult[];
+    lineIndex?: Record<string, number>;
+    externalAnalyzerResults?: ExternalAnalyzerResults;
+}): AuditTask[];