auditor-lambda 0.7.0 → 0.9.0

package/dist/orchestrator/ingestionExecutors.js

@@ -0,0 +1,237 @@
+import { runCommand } from "./runtimeCommand.js";
+import { buildFlowCoverage } from "./flowCoverage.js";
+import { buildRequeuePayload } from "./requeueCommand.js";
+import { buildRuntimeValidationTasks, mergeRuntimeValidationReport, } from "./runtimeValidation.js";
+import { ingestAuditResults, updateAuditTaskStatuses, } from "./resultIngestion.js";
+import { buildAuditPlanMetrics, buildReviewPackets, sizeIndexFromManifest, } from "./reviewPackets.js";
+import { updateRuntimeValidationReport } from "./runtimeValidationUpdate.js";
+import { buildSelectiveDeepeningTasks } from "./selectiveDeepening.js";
+function lineIndexFromTasks(tasks) {
+    return Object.fromEntries((tasks ?? []).flatMap((task) => Object.entries(task.file_line_counts ?? {})));
+}
+function appendSelectiveDeepeningTasks(params) {
+    if (!params.bundle.audit_tasks) {
+        return { bundle: params.bundle, taskCount: 0, artifacts: [] };
+    }
+    const lineIndex = lineIndexFromTasks(params.bundle.audit_tasks);
+    const sizeIndex = sizeIndexFromManifest(params.bundle.repo_manifest);
+    const selectiveDeepeningTasks = buildSelectiveDeepeningTasks({
+        existingTasks: params.bundle.audit_tasks,
+        results: params.results,
+        lineIndex,
+        runtimeValidationTasks: params.bundle.runtime_validation_tasks,
+        runtimeValidationReport: params.runtimeValidationReport ?? params.bundle.runtime_validation_report,
+        externalAnalyzerResults: params.bundle.external_analyzer_results,
+    });
+    if (selectiveDeepeningTasks.length === 0) {
+        return { bundle: params.bundle, taskCount: 0, artifacts: [] };
+    }
+    const auditTasks = [...params.bundle.audit_tasks, ...selectiveDeepeningTasks];
+    return {
+        bundle: {
+            ...params.bundle,
+            audit_tasks: auditTasks,
+            audit_plan_metrics: buildAuditPlanMetrics(auditTasks, {
+                graphBundle: params.bundle.graph_bundle,
+                lineIndex,
+                sizeIndex,
+            }),
+            review_packets: buildReviewPackets(auditTasks, {
+                graphBundle: params.bundle.graph_bundle,
+                lineIndex,
+                sizeIndex,
+            }),
+        },
+        taskCount: selectiveDeepeningTasks.length,
+        artifacts: ["audit_tasks.json", "audit_plan_metrics.json", "review_packets.json"],
+    };
+}
+/**
+ * Apply selective deepening to an already-prepared base bundle and return the
+ * pieces every executor needs to assemble its `ExecutorRunResult`: the updated
+ * bundle, the deepening artifacts, and the progress-summary suffix.
+ *
+ * Centralizing this keeps the three executors that run deepening consistent —
+ * previously each site invoked `appendSelectiveDeepeningTasks` and then
+ * re-derived the same `Added N selective deepening task(s)` suffix by hand.
+ * `excludeArtifacts` lets a caller that already lists an artifact explicitly
+ * (the result-ingestion executor lists `audit_tasks.json`) drop it from the
+ * spread so it is never double-counted.
+ */
+function applySelectiveDeepening(params) {
+    const selectiveDeepening = appendSelectiveDeepeningTasks({
+        bundle: params.baseBundle,
+        results: params.results,
+        runtimeValidationReport: params.runtimeValidationReport,
+    });
+    const exclude = new Set(params.excludeArtifacts ?? []);
+    return {
+        bundle: selectiveDeepening.bundle,
+        artifacts: selectiveDeepening.artifacts.filter((artifact) => !exclude.has(artifact)),
+        summarySuffix: selectiveDeepening.taskCount > 0
+            ? ` Added ${selectiveDeepening.taskCount} selective deepening task(s).`
+            : "",
+    };
+}
+export function runResultIngestionExecutor(bundle, results) {
+    if (!bundle.coverage_matrix) {
+        throw new Error("Cannot ingest results without coverage_matrix");
+    }
+    const updatedCoverageMatrix = ingestAuditResults(bundle.coverage_matrix, results);
+    const flowCoverage = bundle.critical_flows
+        ? buildFlowCoverage(bundle.critical_flows, updatedCoverageMatrix)
+        : bundle.flow_coverage;
+    const runtimeCommand = bundle.runtime_validation_tasks?.tasks.find((task) => task.command && task.command.length > 0)?.command;
+    const runtimeValidationTasks = bundle.unit_manifest && flowCoverage
+        ? buildRuntimeValidationTasks({
+            unitManifest: bundle.unit_manifest,
+            criticalFlows: bundle.critical_flows,
+            flowCoverage,
+            command: runtimeCommand,
+        })
+        : bundle.runtime_validation_tasks;
+    const runtimeValidationReport = runtimeValidationTasks
+        ? mergeRuntimeValidationReport(runtimeValidationTasks, bundle.runtime_validation_report)
+        : bundle.runtime_validation_report;
+    const mergedResults = [...(bundle.audit_results ?? []), ...results];
+    const completedAuditTasks = updateAuditTaskStatuses(bundle.audit_tasks, mergedResults);
+    const baseUpdatedBundle = {
+        ...bundle,
+        coverage_matrix: updatedCoverageMatrix,
+        flow_coverage: flowCoverage,
+        runtime_validation_tasks: runtimeValidationTasks,
+        runtime_validation_report: runtimeValidationReport,
+        audit_results: mergedResults,
+        audit_tasks: completedAuditTasks,
+        audit_report: undefined,
+    };
+    const selectiveDeepening = applySelectiveDeepening({
+        baseBundle: baseUpdatedBundle,
+        results: mergedResults,
+        runtimeValidationReport,
+        excludeArtifacts: ["audit_tasks.json"],
+    });
+    const requeuePayload = buildRequeuePayload(updatedCoverageMatrix, selectiveDeepening.bundle.critical_flows, selectiveDeepening.bundle.flow_coverage, selectiveDeepening.bundle.external_analyzer_results);
+    const finalBundle = {
+        ...selectiveDeepening.bundle,
+        requeue_tasks: requeuePayload.tasks,
+    };
+    return {
+        updated: finalBundle,
+        artifacts_written: [
+            "coverage_matrix.json",
+            "flow_coverage.json",
+            ...(runtimeValidationTasks ? ["runtime_validation_tasks.json"] : []),
+            ...(runtimeValidationReport ? ["runtime_validation_report.json"] : []),
+            "audit_results.jsonl",
+            "audit_tasks.json",
+            ...selectiveDeepening.artifacts,
+            "requeue_tasks.json",
+        ],
+        progress_summary: `Ingested ${results.length} audit result entries and refreshed dependent artifacts.` +
+            selectiveDeepening.summarySuffix,
+    };
+}
+export async function runRuntimeValidationExecutor(bundle, root, options = {}) {
+    if (!bundle.runtime_validation_tasks) {
+        throw new Error("Cannot execute runtime validation without runtime_validation_tasks");
+    }
+    const existing = bundle.runtime_validation_report ?? { results: [] };
+    const byTaskId = new Map(existing.results.map((result) => [result.task_id, result]));
+    const byCommand = new Map();
+    for (const task of bundle.runtime_validation_tasks.tasks) {
+        const prior = byTaskId.get(task.id);
+        if (prior &&
+            ["confirmed", "not_confirmed", "inconclusive", "not_required"].includes(prior.status)) {
+            continue;
+        }
+        if (!task.command || task.command.length === 0) {
+            byTaskId.set(task.id, {
+                task_id: task.id,
+                status: "not_required",
+                summary: `No deterministic runtime command was available for ${task.id}.`,
+                evidence: [],
+                notes: ["Runtime validation was not planned for this task."],
+            });
+            continue;
+        }
+        const signature = task.command.join("\0");
+        const outcome = byCommand.get(signature) ?? (await runCommand(task.command, root, { opentoken: options.opentoken }));
+        byCommand.set(signature, outcome);
+        byTaskId.set(task.id, {
+            task_id: task.id,
+            status: outcome.status,
+            summary: outcome.summary,
+            evidence: outcome.evidence,
+            notes: [`Target paths: ${task.target_paths.join(", ")}`],
+        });
+    }
+    const runtimeValidationReport = {
+        results: [...byTaskId.values()].sort((a, b) => a.task_id.localeCompare(b.task_id)),
+    };
+    const baseUpdatedBundle = {
+        ...bundle,
+        runtime_validation_report: runtimeValidationReport,
+        audit_report: undefined,
+    };
+    const selectiveDeepening = applySelectiveDeepening({
+        baseBundle: baseUpdatedBundle,
+        results: bundle.audit_results ?? [],
+        runtimeValidationReport,
+    });
+    return {
+        updated: selectiveDeepening.bundle,
+        artifacts_written: [
+            "runtime_validation_report.json",
+            ...selectiveDeepening.artifacts,
+        ],
+        progress_summary: `Executed deterministic runtime validation for ${bundle.runtime_validation_tasks.tasks.length} task(s).` +
+            selectiveDeepening.summarySuffix,
+    };
+}
+export function runRuntimeValidationUpdateExecutor(bundle, updates) {
+    if (!bundle.runtime_validation_tasks) {
+        throw new Error("Cannot update runtime validation without runtime_validation_tasks");
+    }
+    const existingReport = bundle.runtime_validation_report ?? { results: [] };
+    const mergedReport = updateRuntimeValidationReport(bundle.runtime_validation_tasks, existingReport, updates);
+    const baseUpdatedBundle = {
+        ...bundle,
+        runtime_validation_report: mergedReport,
+        audit_report: undefined,
+    };
+    const selectiveDeepening = applySelectiveDeepening({
+        baseBundle: baseUpdatedBundle,
+        results: bundle.audit_results ?? [],
+        runtimeValidationReport: mergedReport,
+    });
+    return {
+        updated: selectiveDeepening.bundle,
+        artifacts_written: [
+            "runtime_validation_report.json",
+            ...selectiveDeepening.artifacts,
+        ],
+        progress_summary: `Merged ${updates.results.length} runtime validation updates.` +
+            selectiveDeepening.summarySuffix,
+    };
+}
+export function runExternalAnalyzerImportExecutor(bundle, externalResults) {
+    const summary = `Imported ${externalResults.results.length} normalized findings from ${externalResults.tool}.`;
+    return {
+        updated: {
+            ...bundle,
+            external_analyzer_results: externalResults,
+            coverage_matrix: undefined,
+            flow_coverage: undefined,
+            runtime_validation_tasks: undefined,
+            runtime_validation_report: undefined,
+            audit_tasks: undefined,
+            audit_plan_metrics: undefined,
+            review_packets: undefined,
+            requeue_tasks: undefined,
+            audit_report: undefined,
+        },
+        artifacts_written: ["external_analyzer_results.json"],
+        progress_summary: summary,
+    };
+}

package/dist/orchestrator/intakeExecutors.d.ts

@@ -0,0 +1,3 @@
+import type { ArtifactBundle } from "../io/artifacts.js";
+import type { ExecutorRunResult } from "./executorResult.js";
+export declare function runIntakeExecutor(bundle: ArtifactBundle, root: string): Promise<ExecutorRunResult>;

package/dist/orchestrator/intakeExecutors.js

@@ -0,0 +1,25 @@
+import { buildFileDisposition, isAuditExcludedStatus, } from "../extractors/disposition.js";
+import { buildRepoManifestFromFs } from "../extractors/fsIntake.js";
+import { loadIgnoreFile } from "../extractors/ignore.js";
+export async function runIntakeExecutor(bundle, root) {
+    const ignore = await loadIgnoreFile(root);
+    const repoManifest = await buildRepoManifestFromFs({
+        root,
+        ignore,
+        hash_files: true,
+    });
+    const disposition = buildFileDisposition(repoManifest);
+    const auditableCount = disposition.files.filter((file) => !isAuditExcludedStatus(file.status)).length;
+    if (auditableCount === 0) {
+        throw new Error(`No auditable files found in ${root}. The repository may be empty, generated-only, documentation-only, or filtered by .auditorignore.`);
+    }
+    return {
+        updated: {
+            ...bundle,
+            repo_manifest: repoManifest,
+            file_disposition: disposition,
+        },
+        artifacts_written: ["repo_manifest.json", "file_disposition.json"],
+        progress_summary: `Created intake artifacts for ${repoManifest.files.length} files.`,
+    };
+}

package/dist/orchestrator/planningExecutors.d.ts

@@ -0,0 +1,4 @@
+import type { ArtifactBundle } from "../io/artifacts.js";
+import type { AuditScopeManifest } from "../types/auditScope.js";
+import type { ExecutorRunResult } from "./executorResult.js";
+export declare function runPlanningExecutor(bundle: ArtifactBundle, root: string, lineIndex?: Record<string, number>, sizeIndex?: Record<string, number>, scope?: AuditScopeManifest): Promise<ExecutorRunResult>;

package/dist/orchestrator/planningExecutors.js

@@ -0,0 +1,95 @@
+import { initializeCoverageFromPlan } from "./planning.js";
+import { applyScopeToCoverage, fullAuditScope } from "./scope.js";
+import { buildFlowCoverage } from "./flowCoverage.js";
+import { buildRequeuePayload } from "./requeueCommand.js";
+import { buildRuntimeValidationTasks, discoverRuntimeValidationCommand, mergeRuntimeValidationReport, } from "./runtimeValidation.js";
+import { buildChunkedAuditTasks, } from "./taskBuilder.js";
+import { buildAuditPlanMetrics, buildReviewPackets, sizeIndexFromManifest, } from "./reviewPackets.js";
+import { autoCompleteTrivialCoverage } from "./trivialAudit.js";
+export async function runPlanningExecutor(bundle, root, lineIndex = {}, sizeIndex, scope) {
+    if (!bundle.repo_manifest) {
+        throw new Error("Cannot run planning executor without repo_manifest");
+    }
+    const resolvedSizeIndex = sizeIndex ?? sizeIndexFromManifest(bundle.repo_manifest);
+    if (!bundle.file_disposition ||
+        !bundle.unit_manifest ||
+        !bundle.surface_manifest ||
+        !bundle.critical_flows ||
+        !bundle.risk_register) {
+        throw new Error("Cannot run planning executor without current structure artifacts");
+    }
+    const resolvedScope = scope ?? fullAuditScope();
+    const externalAnalyzerResults = bundle.external_analyzer_results;
+    const coverage = initializeCoverageFromPlan(bundle.repo_manifest, bundle.unit_manifest, bundle.file_disposition, externalAnalyzerResults);
+    const skippedTrivialPaths = autoCompleteTrivialCoverage(coverage, lineIndex, externalAnalyzerResults);
+    // Delta scope: only seed + expanded files stay pending; the rest inherit prior
+    // completion or are excluded from this run. Full scope is a no-op.
+    applyScopeToCoverage(coverage, resolvedScope, bundle.coverage_matrix);
+    const flowCoverage = buildFlowCoverage(bundle.critical_flows, coverage);
+    const runtimeCommand = await discoverRuntimeValidationCommand(root);
+    const runtimeValidationTasks = buildRuntimeValidationTasks({
+        unitManifest: bundle.unit_manifest,
+        criticalFlows: bundle.critical_flows,
+        flowCoverage,
+        command: runtimeCommand,
+    });
+    const runtimeValidationReport = runtimeValidationTasks.tasks.length > 0
+        ? mergeRuntimeValidationReport(runtimeValidationTasks, bundle.runtime_validation_report)
+        : undefined;
+    const auditTasks = buildChunkedAuditTasks(coverage, lineIndex, {
+        external_analyzer_results: externalAnalyzerResults,
+        critical_flows: bundle.critical_flows,
+    });
+    const taggedAuditTasks = auditTasks.map((task) => ({
+        ...task,
+        status: task.status ?? "pending",
+    }));
+    const reviewPackets = buildReviewPackets(taggedAuditTasks, {
+        graphBundle: bundle.graph_bundle,
+        lineIndex,
+        sizeIndex: resolvedSizeIndex,
+    });
+    const auditPlanMetrics = buildAuditPlanMetrics(taggedAuditTasks, {
+        graphBundle: bundle.graph_bundle,
+        lineIndex,
+        sizeIndex: resolvedSizeIndex,
+    });
+    const requeuePayload = buildRequeuePayload(coverage, bundle.critical_flows, flowCoverage, externalAnalyzerResults);
+    const scopeSummary = resolvedScope.mode === "delta"
+        ? ` Delta scope since ${resolvedScope.since}: ${resolvedScope.seed_files.length} changed file(s) + ${resolvedScope.expanded_files.length} graph neighbour(s) queued; a full audit is advised before release.`
+        : "";
+    return {
+        updated: {
+            ...bundle,
+            scope: resolvedScope,
+            coverage_matrix: coverage,
+            flow_coverage: flowCoverage,
+            runtime_validation_tasks: runtimeValidationTasks,
+            runtime_validation_report: runtimeValidationReport,
+            audit_tasks: taggedAuditTasks,
+            audit_plan_metrics: auditPlanMetrics,
+            review_packets: reviewPackets,
+            requeue_tasks: requeuePayload.tasks,
+            audit_report: undefined,
+        },
+        artifacts_written: [
+            "scope.json",
+            "coverage_matrix.json",
+            "flow_coverage.json",
+            "runtime_validation_tasks.json",
+            ...(runtimeValidationReport ? ["runtime_validation_report.json"] : []),
+            "audit_tasks.json",
+            "audit_plan_metrics.json",
+            "review_packets.json",
+            "requeue_tasks.json",
+        ],
+        progress_summary: `Built planning artifacts; generated ${taggedAuditTasks.length} review tasks in ${reviewPackets.length} packet(s) and ${requeuePayload.task_count} requeue tasks.` +
+            scopeSummary +
+            (skippedTrivialPaths.length > 0
+                ? ` Skipped ${skippedTrivialPaths.length} trivial path${skippedTrivialPaths.length === 1 ? "" : "s"} from semantic review.`
+                : "") +
+            (runtimeCommand
+                ? ` Runtime validation will use: ${runtimeCommand.join(" ")}.`
+                : " No deterministic runtime validation command was discovered."),
+    };
+}

package/dist/orchestrator/reviewPacketGraph.d.ts

@@ -0,0 +1,31 @@
+import type { AuditTask } from "../types.js";
+import type { ReviewPacketGraphEdge, ReviewPacketQuality } from "../types/reviewPlanning.js";
+import type { GraphBundle, GraphEdge } from "@audit-tools/shared";
+import { UnionFind } from "./unionFind.js";
+import { normalizeGraphPath } from "../extractors/graphPathUtils.js";
+export { normalizeGraphPath };
+/**
+ * Fan-in / fan-out degree above which a node is treated as a hub. Exported so
+ * the Phase 3 delta-scope expansion skips the same hubs that packet planning
+ * skips, preventing scope blow-up through highly-connected modules.
+ */
+export declare const HIGH_FAN_DEGREE_THRESHOLD = 12;
+export declare function collectGraphEdges(graphBundle?: GraphBundle): GraphEdge[];
+export declare function graphEdgeConfidence(edge: GraphEdge): number;
+export declare function isConcreteGraphEdge(edge: GraphEdge): boolean;
+export interface GraphDegreeIndex {
+    fanIn: Map<string, number>;
+    fanOut: Map<string, number>;
+}
+export declare function buildGraphDegreeIndex(edges: GraphEdge[]): GraphDegreeIndex;
+export declare function isPacketExpansionEdge(edge: GraphEdge, degreeIndex: GraphDegreeIndex): boolean;
+export declare function buildFileToGroupKeys(groups: Map<string, AuditTask[]>): Map<string, Set<string>>;
+export declare function unionFindFromGroups(groups: Map<string, AuditTask[]>, graphEdges: GraphEdge[]): UnionFind;
+export declare function buildPlanningGraphEdges(groups: Map<string, AuditTask[]>, graphEdges: GraphEdge[], graphBundle?: GraphBundle, lineIndex?: Record<string, number>, sizeIndex?: Record<string, number>, targetPacketTokens?: number): GraphEdge[];
+export declare function roundQuality(value: number): number;
+export declare function buildPacketGraphContext(filePaths: string[], graphEdges: GraphEdge[], graphBundle?: GraphBundle): {
+    keyEdges: ReviewPacketGraphEdge[];
+    boundaryFiles: string[];
+    entrypoints: string[];
+    quality: ReviewPacketQuality;
+};