auditor-lambda 0.8.0 → 0.9.0

package/dist/cli/statusCommand.d.ts

@@ -0,0 +1 @@
+export declare function cmdStatus(argv: string[]): Promise<void>;

package/dist/cli/statusCommand.js

@@ -0,0 +1,113 @@
+import { readdir } from "node:fs/promises";
+import { join } from "node:path";
+import { isFileMissingError, readJsonFile } from "@audit-tools/shared";
+import { loadRunLedger } from "../supervisor/runLedger.js";
+import { getArtifactsDir } from "./args.js";
+export async function cmdStatus(argv) {
+    const artifactsDir = getArtifactsDir(argv);
+    const auditStatePath = join(artifactsDir, "audit_state.json");
+    // 1. Read audit_state.json
+    let auditState = null;
+    try {
+        auditState = await readJsonFile(auditStatePath);
+    }
+    catch (error) {
+        if (!isFileMissingError(error)) {
+            throw error;
+        }
+    }
+    if (!auditState) {
+        console.error("No audit_state.json found; no active audit in this artifacts directory.");
+        process.exitCode = 1;
+        return;
+    }
+    // Build obligations summary: count by state
+    const obligationStates = {
+        missing: 0,
+        present: 0,
+        stale: 0,
+        blocked: 0,
+        satisfied: 0,
+    };
+    for (const obligation of auditState.obligations ?? []) {
+        const state = obligation.state;
+        if (state in obligationStates) {
+            obligationStates[state]++;
+        }
+    }
+    // 2. Read run ledger for last N entries
+    const ledger = await loadRunLedger(artifactsDir);
+    const RECENT_RUN_LIMIT = 5;
+    const recentRuns = ledger.runs
+        .slice(-RECENT_RUN_LIMIT)
+        .reverse()
+        .map((entry) => ({
+        run_id: entry.run_id,
+        obligation_id: entry.obligation_id,
+        status: entry.status,
+        started_at: entry.started_at,
+    }));
+    // 3. Find the most recent run directory and read pending-audit-tasks.json
+    let pendingTasksSummary = null;
+    const runsDir = join(artifactsDir, "runs");
+    let runDirs = [];
+    try {
+        const entries = await readdir(runsDir, { withFileTypes: true });
+        runDirs = entries
+            .filter((e) => e.isDirectory())
+            .map((e) => e.name)
+            .sort()
+            .reverse();
+    }
+    catch {
+        // runs directory may not exist yet
+    }
+    for (const runDirName of runDirs) {
+        const runDir = join(runsDir, runDirName);
+        const tasksPath = join(runDir, "pending-audit-tasks.json");
+        let tasks = null;
+        try {
+            tasks = await readJsonFile(tasksPath);
+        }
+        catch {
+            continue; // no pending-audit-tasks.json in this run dir — try previous
+        }
+        if (!Array.isArray(tasks))
+            continue;
+        // Count remaining: tasks without status "complete"
+        const total = tasks.length;
+        const remaining = tasks.filter((t) => t.status !== "complete").length;
+        pendingTasksSummary = {
+            run_id: runDirName,
+            total,
+            remaining,
+        };
+        break;
+    }
+    // 4. Surface failed-tasks.json from the most recent run that has one
+    let failedTasks = null;
+    for (const runDirName of runDirs) {
+        const failedTasksPath = join(runsDir, runDirName, "failed-tasks.json");
+        try {
+            const raw = await readJsonFile(failedTasksPath);
+            if (Array.isArray(raw) && raw.length > 0) {
+                failedTasks = raw;
+                break;
+            }
+        }
+        catch {
+            // Not present in this run dir — keep looking
+        }
+    }
+    console.log(JSON.stringify({
+        artifacts_dir: artifactsDir,
+        status: auditState.status,
+        last_obligation: auditState.last_obligation ?? null,
+        last_executor: auditState.last_executor ?? null,
+        blockers: auditState.blockers ?? [],
+        obligations_summary: obligationStates,
+        recent_runs: recentRuns,
+        pending_tasks: pendingTasksSummary,
+        failed_tasks: failedTasks,
+    }, null, 2));
+}

package/dist/cli/submitPacketCommand.d.ts

@@ -0,0 +1 @@
+export declare function cmdSubmitPacket(argv: string[]): Promise<void>;

package/dist/cli/submitPacketCommand.js

@@ -0,0 +1,155 @@
+import { readFile } from "node:fs/promises";
+import { join, resolve } from "node:path";
+import { readJsonFile, writeJsonFile } from "@audit-tools/shared";
+import { validateAuditResults, formatAuditResultIssues } from "../validation/auditResults.js";
+import { DISPATCH_RESULT_MAP_FILENAME, resolveRunScopedArg, loadDispatchResultMap, entriesByTaskId, } from "./dispatch.js";
+import { fromBase64Url, getArtifactsDir, getFlag, readStdinText } from "./args.js";
+export async function cmdSubmitPacket(argv) {
+    const runId = resolveRunScopedArg(argv, "--run-id", "--run-id-b64");
+    const packetId = resolveRunScopedArg(argv, "--packet-id", "--packet-id-b64");
+    const artifactsDirB64 = getFlag(argv, "--artifacts-dir-b64");
+    const artifactsDir = artifactsDirB64
+        ? resolve(fromBase64Url(artifactsDirB64))
+        : getArtifactsDir(argv);
+    if (!runId || !packetId) {
+        throw new Error("submit-packet requires --run-id and --packet-id (or --run-id-b64/--packet-id-b64)");
+    }
+    const runDir = join(artifactsDir, "runs", runId);
+    const tasksPath = join(runDir, "pending-audit-tasks.json");
+    const resultMap = await loadDispatchResultMap(runDir);
+    if (!resultMap) {
+        throw new Error(`No ${DISPATCH_RESULT_MAP_FILENAME} found for run ${runId}; run prepare-dispatch first.`);
+    }
+    let packetEntries = resultMap.entries.filter((entry) => entry.packet_id === packetId);
+    let resolvedPacketId = packetId;
+    if (packetEntries.length === 0) {
+        const trimmed = packetId.trim();
+        packetEntries = resultMap.entries.filter((entry) => entry.packet_id.trim().toLowerCase() === trimmed.toLowerCase());
+        if (packetEntries.length > 0) {
+            resolvedPacketId = packetEntries[0].packet_id;
+            process.stderr.write(`[submit-packet] Resolved packet_id '${packetId}' → '${resolvedPacketId}' (case/whitespace normalization)\n`);
+        }
+    }
+    if (packetEntries.length === 0) {
+        const knownIds = [...new Set(resultMap.entries.map((e) => e.packet_id))];
+        throw new Error(`Unknown packet_id '${packetId}' for run ${runId}.\n` +
+            `Valid packet IDs: ${knownIds.join(", ")}`);
+    }
+    if (entriesByTaskId(packetEntries).size !== packetEntries.length) {
+        throw new Error(`Dispatch result map has duplicate task entries for packet '${resolvedPacketId}'.`);
+    }
+    const allTasks = await readJsonFile(tasksPath);
+    const taskById = new Map(allTasks.map((task) => [task.task_id, task]));
+    const packetTasks = packetEntries.map((entry) => taskById.get(entry.task_id));
+    const missingTask = packetEntries.find((entry, index) => !packetTasks[index]);
+    if (missingTask) {
+        throw new Error(`Dispatch result map references unknown task '${missingTask.task_id}'.`);
+    }
+    const tasks = packetTasks;
+    const expectedTaskIds = new Set(tasks.map((task) => task.task_id));
+    const lineIndex = Object.fromEntries(tasks.flatMap((task) => Object.entries(task.file_line_counts ?? {})));
+    const encodedResults = getFlag(argv, "--results-b64");
+    const raw = encodedResults ? fromBase64Url(encodedResults) : await readStdinText();
+    if (raw.trim().length === 0) {
+        throw new Error("submit-packet requires an AuditResult[] JSON payload on stdin or --results-b64.");
+    }
+    let payload;
+    try {
+        payload = JSON.parse(raw);
+    }
+    catch (error) {
+        throw new Error(`Invalid submit-packet JSON: ${error instanceof Error ? error.message : String(error)}`);
+    }
+    const resultErrors = [];
+    const issues = validateAuditResults(payload, tasks, { lineIndex });
+    const validationErrors = issues.filter((issue) => issue.severity === "error");
+    const validationWarnings = issues.filter((issue) => issue.severity === "warning");
+    if (validationWarnings.length > 0) {
+        process.stderr.write(`audit-results validation: ${validationWarnings.length} warning(s):\n` +
+            formatAuditResultIssues(validationWarnings) +
+            "\n");
+    }
+    if (validationErrors.length > 0) {
+        resultErrors.push(formatAuditResultIssues(validationErrors));
+    }
+    if (Array.isArray(payload)) {
+        const seen = new Set();
+        for (const [index, result] of payload.entries()) {
+            if (!result || typeof result !== "object" || Array.isArray(result)) {
+                continue;
+            }
+            const taskId = result.task_id;
+            if (typeof taskId !== "string" || taskId.trim().length === 0) {
+                continue;
+            }
+            if (seen.has(taskId)) {
+                resultErrors.push(`Duplicate audit result for assigned task '${taskId}'.`);
+            }
+            seen.add(taskId);
+            if (!expectedTaskIds.has(taskId)) {
+                resultErrors.push(`Result at index ${index} uses task_id '${taskId}', which is not assigned to packet '${resolvedPacketId}'.`);
+            }
+        }
+        for (const task of tasks) {
+            if (!seen.has(task.task_id)) {
+                resultErrors.push(`Missing audit result for assigned task '${task.task_id}'.`);
+            }
+        }
+    }
+    if (resultErrors.length > 0) {
+        throw new Error(`submit-packet rejected ${resolvedPacketId}:\n${resultErrors.join("\n")}`);
+    }
+    // Check for duplicate findings against already-submitted results in this run
+    const existingFindingKeys = new Set();
+    const otherEntries = resultMap.entries.filter((e) => e.packet_id !== resolvedPacketId);
+    for (const other of otherEntries) {
+        try {
+            const existing = JSON.parse(await readFile(other.result_path, "utf8"));
+            if (existing?.findings) {
+                for (const f of existing.findings) {
+                    const key = [
+                        (f.lens ?? "").trim().toLowerCase(),
+                        (f.category ?? "").trim().toLowerCase(),
+                        (f.title ?? "").trim().toLowerCase(),
+                        f.affected_files?.[0]?.path ?? "",
+                    ].join("|");
+                    existingFindingKeys.add(key);
+                }
+            }
+        }
+        catch { /* file doesn't exist yet or invalid — skip */ }
+    }
+    let dupCount = 0;
+    for (const result of payload) {
+        for (const f of result.findings ?? []) {
+            const key = [
+                (f.lens ?? "").trim().toLowerCase(),
+                (f.category ?? "").trim().toLowerCase(),
+                (f.title ?? "").trim().toLowerCase(),
+                f.affected_files?.[0]?.path ?? "",
+            ].join("|");
+            if (existingFindingKeys.has(key)) {
+                dupCount++;
+            }
+        }
+    }
+    if (dupCount > 0) {
+        process.stderr.write(`[submit-packet] Warning: ${dupCount} finding(s) appear to duplicate findings from other packets in this run.\n`);
+    }
+    const entryByTaskId = entriesByTaskId(packetEntries);
+    for (const result of payload) {
+        const entry = entryByTaskId.get(result.task_id);
+        if (!entry) {
+            throw new Error(`Internal error: no result path for accepted task '${result.task_id}'.`);
+        }
+        await writeJsonFile(entry.result_path, result);
+    }
+    const findingCount = payload.reduce((sum, result) => sum + result.findings.length, 0);
+    console.log(JSON.stringify({
+        run_id: runId,
+        packet_id: resolvedPacketId,
+        accepted_count: payload.length,
+        finding_count: findingCount,
+        ...(dupCount > 0 ? { duplicate_warning_count: dupCount } : {}),
+    }, null, 2));
+}

package/dist/cli/workerResult.d.ts

@@ -1,5 +1,5 @@
 import type { WorkerResult } from "../types/workerResult.js";
-import type { RunPaths } from "../io/runArtifacts.js";
+import type { RunPaths } from "../io/runArtifactTypes.js";
 export declare const WORKER_RESULT_CONTRACT_VERSION = "audit-code-worker-result/v1alpha1";
 export declare function buildWorkerResult(params: {
     runId: string;

package/dist/cli/workerRunCommand.d.ts

@@ -0,0 +1 @@
+export declare function cmdWorkerRun(argv: string[]): Promise<void>;

package/dist/cli/workerRunCommand.js

@@ -0,0 +1,88 @@
+import { readJsonFile, writeJsonFile } from "@audit-tools/shared";
+import { validateAuditResults, formatAuditResultIssues } from "../validation/auditResults.js";
+import { runAuditStep } from "./auditStep.js";
+import { buildLineIndexForPaths } from "./lineIndex.js";
+import { WORKER_RESULT_CONTRACT_VERSION, formatAuditResultValidationError } from "./workerResult.js";
+import { getFlag, looksLikeCliFlag } from "./args.js";
+export async function cmdWorkerRun(argv) {
+    const taskPath = getFlag(argv, "--task");
+    if (!taskPath) {
+        throw new Error("worker-run requires --task <path>");
+    }
+    const task = await readJsonFile(taskPath);
+    let workerResult;
+    try {
+        if (looksLikeCliFlag(task.audit_results_path)) {
+            throw new Error(`task.audit_results_path resolved to '${task.audit_results_path}', which looks like a CLI flag instead of a file path.`);
+        }
+        if (task.preferred_executor === "agent" && !task.audit_results_path) {
+            throw new Error("agent worker-run requires audit_results_path so provider-assisted review can be ingested.");
+        }
+        if (task.preferred_executor === "agent" && task.audit_results_path) {
+            const pendingTasks = task.pending_audit_tasks_path
+                ? await readJsonFile(task.pending_audit_tasks_path)
+                : [];
+            const auditResults = await readJsonFile(task.audit_results_path);
+            const pendingTaskIds = new Set(pendingTasks.map((item) => item.task_id));
+            const matchedResultCount = auditResults.filter((result) => pendingTaskIds.has(result.task_id)).length;
+            if (pendingTasks.length > 0 && matchedResultCount === 0) {
+                throw new Error("Provider-assisted review did not emit any audit results for the pending audit tasks.");
+            }
+            const issues = validateAuditResults(auditResults, pendingTasks, {
+                lineIndex: await buildLineIndexForPaths(task.repo_root, pendingTasks.flatMap((item) => item.file_paths)),
+            });
+            const errors = issues.filter((issue) => issue.severity === "error");
+            const warnings = issues.filter((issue) => issue.severity === "warning");
+            if (warnings.length > 0) {
+                process.stderr.write(`audit-results validation: ${warnings.length} warning(s):\n` +
+                    formatAuditResultIssues(warnings) +
+                    "\n");
+            }
+            if (errors.length > 0) {
+                throw new Error(formatAuditResultValidationError(errors));
+            }
+        }
+        const preferredExecutor = task.preferred_executor === "agent"
+            ? "result_ingestion_executor"
+            : task.preferred_executor;
+        const result = await runAuditStep({
+            root: task.repo_root,
+            artifactsDir: task.artifacts_dir,
+            preferredExecutor,
+            auditResultsPath: task.audit_results_path,
+            runtimeUpdatesPath: task.runtime_updates_path,
+            externalAnalyzerPath: task.external_analyzer_results_path,
+        });
+        workerResult = {
+            contract_version: WORKER_RESULT_CONTRACT_VERSION,
+            run_id: task.run_id,
+            obligation_id: task.obligation_id,
+            status: result.progress_made ? "completed" : "no_progress",
+            progress_made: result.progress_made,
+            selected_executor: result.selected_executor,
+            artifacts_written: result.artifacts_written,
+            summary: result.progress_summary,
+            next_likely_step: result.next_likely_step,
+            errors: [],
+        };
+    }
+    catch (error) {
+        workerResult = {
+            contract_version: WORKER_RESULT_CONTRACT_VERSION,
+            run_id: task.run_id,
+            obligation_id: task.obligation_id,
+            status: "failed",
+            progress_made: false,
+            selected_executor: task.preferred_executor,
+            artifacts_written: [],
+            summary: `Worker failed for executor ${task.preferred_executor}: ${error instanceof Error ? error.message : String(error)}`,
+            next_likely_step: task.obligation_id,
+            errors: [error instanceof Error ? error.message : String(error)],
+        };
+    }
+    await writeJsonFile(task.result_path, workerResult);
+    console.log(JSON.stringify(workerResult, null, 2));
+    if (workerResult.status === "failed") {
+        process.exitCode = 1;
+    }
+}