auditor-lambda 0.8.0 → 0.9.0

package/dist/extractors/analyzers/treeSitter.js

@@ -2,8 +2,12 @@ import { createRequire } from "node:module";
 import { dirname, join } from "node:path";
 import { pathToFileURL } from "node:url";
 const requireFromHere = createRequire(import.meta.url);
-let modulePromise;
-let initPromise;
+// The parser module is resolved per `dependencyPath`: a call with a different
+// dependencyPath must resolve its own module rather than reusing the first
+// resolution. Keyed by `dependencyPath ?? ""` so the bare-specifier path
+// (no dependencyPath) gets a stable cache slot too.
+const moduleCache = new Map();
+const initCache = new Map();
 const languageCache = new Map();
 async function importParserModule(dependencyPath) {
     const specifiers = [];
@@ -26,25 +30,33 @@ async function importParserModule(dependencyPath) {
                 return resolved;
             }
         }
-        catch {
-            // Try the next specifier.
+        catch (e) {
+            process.stderr.write(`[audit-code] tree-sitter: failed to import '${specifier}': ${e.message ?? String(e)}\n`);
         }
     }
     return undefined;
 }
 async function getModule(dependencyPath) {
-    if (!modulePromise) {
-        modulePromise = importParserModule(dependencyPath);
+    const key = dependencyPath ?? "";
+    let cached = moduleCache.get(key);
+    if (!cached) {
+        cached = importParserModule(dependencyPath);
+        moduleCache.set(key, cached);
     }
-    return modulePromise;
+    return cached;
 }
 async function ensureInit(parserModule) {
-    if (!initPromise) {
-        initPromise = parserModule.Parser.init()
+    let cached = initCache.get(parserModule);
+    if (!cached) {
+        cached = parserModule.Parser.init()
             .then(() => true)
-            .catch(() => false);
+            .catch((e) => {
+            process.stderr.write(`[audit-code] tree-sitter: Parser.init() failed: ${e.message ?? String(e)}\n`);
+            return false;
+        });
+        initCache.set(parserModule, cached);
     }
-    return initPromise;
+    return cached;
 }
 function resolveGrammarPath(grammar) {
     // tree-sitter-wasms ships prebuilt grammars under out/tree-sitter-<lang>.wasm.
@@ -76,7 +88,8 @@ async function loadLanguage(parserModule, grammar) {
         languageCache.set(grammar, language);
         return language;
     }
-    catch {
+    catch (e) {
+        process.stderr.write(`[audit-code] tree-sitter: failed to load grammar '${grammar}' from '${grammarPath}': ${e.message ?? String(e)}\n`);
         languageCache.set(grammar, null);
         return undefined;
     }
@@ -99,13 +112,14 @@ export async function getTreeSitterParser(grammar, dependencyPath) {
         parser.setLanguage(language);
         return parser;
     }
-    catch {
+    catch (e) {
+        process.stderr.write(`[audit-code] tree-sitter: failed to instantiate parser for grammar '${grammar}': ${e.message ?? String(e)}\n`);
         return undefined;
     }
 }
 /** Test seam: reset the memoised runtime/grammar caches. */
 export function __resetTreeSitterForTests() {
-    modulePromise = undefined;
-    initPromise = undefined;
+    moduleCache.clear();
+    initCache.clear();
     languageCache.clear();
 }

package/dist/extractors/analyzers/typescript.js

@@ -33,8 +33,8 @@ async function loadTypescript(dependencyPath) {
             const mod = (await import(pathToFileURL(mainPath).href));
             return (mod.default ?? mod);
         }
-        catch {
-            // Fall through to the bundled compiler.
+        catch (e) {
+            process.stderr.write(`[audit-code] typescript-analyzer: failed to load TypeScript from '${dependencyPath}', falling back to bundled: ${e.message ?? String(e)}\n`);
         }
     }
     const mod = (await import("typescript"));
@@ -50,7 +50,8 @@ function loadCompilerOptions(ts, root) {
             options = parsed.options;
         }
     }
-    catch {
+    catch (e) {
+        process.stderr.write(`[audit-code] typescript-analyzer: failed to load compiler options from '${root}', using defaults: ${e.message ?? String(e)}\n`);
         options = {};
     }
     // Force a lenient, emit-free, JS-aware program: we only want resolution + the
@@ -97,8 +98,8 @@ function resolveSymbolToIncluded(state, symbol) {
         try {
             resolved = state.checker.getAliasedSymbol(resolved);
         }
-        catch {
-            // Keep the un-aliased symbol on failure.
+        catch (_e) {
+            // getAliasedSymbol can throw for malformed programs; keep the un-aliased symbol.
         }
     }
     for (const declaration of resolved.declarations ?? []) {
@@ -221,7 +222,8 @@ async function analyze(files, context) {
     try {
         ts = await loadTypescript(context.dependencyPath);
     }
-    catch {
+    catch (e) {
+        process.stderr.write(`[audit-code] typescript-analyzer: failed to load TypeScript compiler, skipping ${files.length} file(s): ${e.message ?? String(e)}\n`);
         return { edges: [] };
     }
     try {
@@ -244,8 +246,8 @@ async function analyze(files, context) {
         }
         return { edges: [...imports, ...references, ...calls] };
     }
-    catch {
-        // Any compiler failure degrades cleanly to the regex floor.
+    catch (e) {
+        process.stderr.write(`[audit-code] typescript-analyzer: program analysis failed for ${files.length} file(s) under '${context.root}', degrading to regex floor: ${e.message ?? String(e)}\n`);
         return { edges: [] };
     }
 }

package/dist/extractors/designAssessment.js

@@ -1,6 +1,9 @@
-let nextFindingId = 1;
-function findingId() {
-    return `DA-${String(nextFindingId++).padStart(3, "0")}`;
+// ID generation is instance-scoped per build (no shared mutable module state),
+// so repeated/concurrent buildDesignAssessment calls produce independent,
+// non-colliding DA-### sequences.
+function createFindingIdGenerator() {
+    let n = 1;
+    return () => `DA-${String(n++).padStart(3, "0")}`;
 }
 function allEdges(graphBundle) {
     const edges = [];
@@ -49,11 +52,27 @@ function detectCycles(edges) {
     }
     return cycles;
 }
+// Canonicalize a directed cycle by rotating it so the lexicographically
+// smallest node leads, preserving order/direction. Rotation (not sort) keeps
+// distinct directed cycles over the same node set apart (A→B→C→A vs A→C→B→A)
+// while still deduping the same cycle discovered from different DFS start nodes
+// (which differ only by rotation).
+function canonicalCycleKey(cycle) {
+    if (cycle.length === 0)
+        return "";
+    let minIdx = 0;
+    for (let i = 1; i < cycle.length; i++) {
+        if (cycle[i] < cycle[minIdx])
+            minIdx = i;
+    }
+    const rotated = [...cycle.slice(minIdx), ...cycle.slice(0, minIdx)];
+    return rotated.join("\0");
+}
 function deduplicateCycles(cycles) {
     const seen = new Set();
     const unique = [];
     for (const cycle of cycles) {
-        const normalized = [...cycle].sort().join("\0");
+        const normalized = canonicalCycleKey(cycle);
         if (!seen.has(normalized)) {
             seen.add(normalized);
             unique.push(cycle);
@@ -61,13 +80,13 @@ function deduplicateCycles(cycles) {
     }
     return unique;
 }
-function detectCycleFindings(graphBundle) {
+function detectCycleFindings(graphBundle, nextId) {
     const edges = allEdges(graphBundle);
     const cycles = deduplicateCycles(detectCycles(edges));
     if (cycles.length === 0)
         return [];
     return cycles.slice(0, 10).map((cycle) => ({
-        id: findingId(),
+        id: nextId(),
         title: `Dependency cycle: ${cycle.length} modules`,
         category: "dependency_cycle",
         severity: cycle.length > 4 ? "high" : "medium",
@@ -78,7 +97,7 @@ function detectCycleFindings(graphBundle) {
         systemic: true,
     }));
 }
-function detectHubModules(graphBundle) {
+function detectHubModules(graphBundle, nextId) {
     const edges = allEdges(graphBundle);
     const fanIn = new Map();
     const fanOut = new Map();
@@ -94,7 +113,7 @@ function detectHubModules(graphBundle) {
         const outCount = fanOut.get(node) ?? 0;
         if (inCount >= hubThreshold && outCount >= hubThreshold) {
             findings.push({
-                id: findingId(),
+                id: nextId(),
                 title: `Hub module: ${node}`,
                 category: "hub_module",
                 severity: "medium",
@@ -108,7 +127,7 @@ function detectHubModules(graphBundle) {
     }
     return findings;
 }
-function detectOrphanUnits(unitManifest, graphBundle) {
+function detectOrphanUnits(unitManifest, graphBundle, nextId) {
     const edges = allEdges(graphBundle);
     const connected = new Set();
     for (const edge of edges) {
@@ -129,7 +148,7 @@ function detectOrphanUnits(unitManifest, graphBundle) {
     if (orphans.length > unitManifest.units.length * 0.5)
         return [];
     return [{
-            id: findingId(),
+            id: nextId(),
             title: `${orphans.length} orphan unit(s) with no graph connections`,
             category: "orphan_units",
             severity: "low",
@@ -143,7 +162,7 @@ function detectOrphanUnits(unitManifest, graphBundle) {
             systemic: true,
         }];
 }
-function detectRiskConcentration(riskRegister, unitManifest) {
+function detectRiskConcentration(riskRegister, unitManifest, nextId) {
     if (riskRegister.items.length < 4)
         return [];
     const sorted = [...riskRegister.items].sort((a, b) => b.risk_score - a.risk_score);
@@ -157,7 +176,7 @@ function detectRiskConcentration(riskRegister, unitManifest) {
     if (concentration < 0.6)
         return [];
     return [{
-            id: findingId(),
+            id: nextId(),
             title: "Risk concentrated in top quartile of units",
             category: "risk_concentration",
             severity: concentration > 0.8 ? "high" : "medium",
@@ -171,7 +190,7 @@ function detectRiskConcentration(riskRegister, unitManifest) {
             systemic: true,
         }];
 }
-function detectUnitSprawl(unitManifest) {
+function detectUnitSprawl(unitManifest, nextId) {
     if (unitManifest.units.length < 3)
         return [];
     const fileCounts = unitManifest.units.map((u) => u.files.length);
@@ -181,7 +200,7 @@ function detectUnitSprawl(unitManifest) {
     const dominantUnit = unitManifest.units.find((u) => u.files.length === maxFiles);
     if (dominantUnit && maxFiles > totalFiles * 0.5 && totalFiles > 10) {
         findings.push({
-            id: findingId(),
+            id: nextId(),
             title: `Dominant unit: ${dominantUnit.unit_id}`,
             category: "monolith_unit",
             severity: "medium",
@@ -196,7 +215,7 @@ function detectUnitSprawl(unitManifest) {
         const smallUnits = unitManifest.units.filter((u) => u.files.length === 1);
         if (smallUnits.length > unitManifest.units.length * 0.6) {
             findings.push({
-                id: findingId(),
+                id: nextId(),
                 title: "Excessive single-file units",
                 category: "unit_fragmentation",
                 severity: "low",
@@ -210,7 +229,7 @@ function detectUnitSprawl(unitManifest) {
     }
     return findings;
 }
-function detectFlowGaps(criticalFlows, graphBundle) {
+function detectFlowGaps(criticalFlows, graphBundle, nextId) {
     const edges = allEdges(graphBundle);
     const connected = new Set();
     for (const edge of edges) {
@@ -223,7 +242,7 @@ function detectFlowGaps(criticalFlows, graphBundle) {
         if (disconnected.length > 0 &&
             disconnected.length > flow.paths.length * 0.5) {
             findings.push({
-                id: findingId(),
+                id: nextId(),
                 title: `Critical flow "${flow.name}" has weak graph coverage`,
                 category: "flow_gap",
                 severity: "medium",
@@ -238,14 +257,14 @@ function detectFlowGaps(criticalFlows, graphBundle) {
     return findings;
 }
 export function buildDesignAssessment(params) {
-    nextFindingId = 1;
+    const nextId = createFindingIdGenerator();
     const findings = [
-        ...detectCycleFindings(params.graphBundle),
-        ...detectHubModules(params.graphBundle),
-        ...detectOrphanUnits(params.unitManifest, params.graphBundle),
-        ...detectRiskConcentration(params.riskRegister, params.unitManifest),
-        ...detectUnitSprawl(params.unitManifest),
-        ...detectFlowGaps(params.criticalFlows, params.graphBundle),
+        ...detectCycleFindings(params.graphBundle, nextId),
+        ...detectHubModules(params.graphBundle, nextId),
+        ...detectOrphanUnits(params.unitManifest, params.graphBundle, nextId),
+        ...detectRiskConcentration(params.riskRegister, params.unitManifest, nextId),
+        ...detectUnitSprawl(params.unitManifest, nextId),
+        ...detectFlowGaps(params.criticalFlows, params.graphBundle, nextId),
     ];
     return {
         generated_at: new Date().toISOString(),

package/dist/extractors/graph.js

@@ -48,6 +48,15 @@ const CONFTEST_LINK_CONFIDENCE = 0.85;
 const ANALYZER_OWNERSHIP_EDGE_CONFIDENCE = 0.84;
 const CONTAINER_EDGE_CONFIDENCE = 0.25;
 const AUTH_SESSION_EDGE_CONFIDENCE = 0.55;
+/** Named graph edge-kind keys (was a scatter of inline string literals). */
+const EDGE_KIND = {
+    heuristicContainer: "heuristic-container-edge",
+    heuristicAuthSession: "heuristic-auth-session-link",
+    conftestLink: "conftest-link",
+    analyzerOwnershipRootLink: "analyzer-ownership-root-link",
+    relativeStringReference: "relative-string-reference",
+    repoPathReference: "repo-path-reference",
+};
 function shouldReadForGraph(file) {
     const normalized = normalizeGraphPath(file.path);
     return (file.size_bytes <= MAX_GRAPH_SOURCE_BYTES &&
@@ -136,7 +145,7 @@ function extractAnalyzerOwnershipEdges(externalAnalyzerResults, pathLookup) {
             edges.push(graphEdge({
                 from: root,
                 to: target,
-                kind: "analyzer-ownership-root-link",
+                kind: EDGE_KIND.analyzerOwnershipRootLink,
                 direction: "undirected",
                 confidence,
                 reason: providedReason ??
@@ -212,8 +221,8 @@ function extractReferenceEdges(fromPath, content, pathLookup) {
                 from: fromPath,
                 to: target,
                 kind: relativeReference
-                    ? "relative-string-reference"
-                    : "repo-path-reference",
+                    ? EDGE_KIND.relativeStringReference
+                    : EDGE_KIND.repoPathReference,
                 direction: "directed",
                 confidence: relativeReference
                     ? RELATIVE_REFERENCE_EDGE_CONFIDENCE
@@ -250,7 +259,7 @@ function extractPytestConftestLinks(pathLookup) {
             edges.push(graphEdge({
                 from: conftestPath,
                 to: targetPath,
-                kind: "conftest-link",
+                kind: EDGE_KIND.conftestLink,
                 confidence: CONFTEST_LINK_CONFIDENCE,
                 reason: `Pytest conftest '${conftestPath}' applies to all Python files in its scope directory.`,
             }));
@@ -293,11 +302,118 @@ export async function buildGraphBundleFromFs(repoManifest, root, disposition, op
     }
     return buildGraphBundle(repoManifest, disposition, { ...options, fileContents });
 }
+/**
+ * Heuristic "container" edge: a file two-or-more directories deep is linked to
+ * its top-two-segment module root, suggesting shared module ownership.
+ */
+function extractHeuristicContainerEdges(filePath) {
+    const parts = filePath.split("/");
+    if (parts.length <= 2)
+        return [];
+    return [
+        graphEdge({
+            from: filePath,
+            to: `${parts[0]}/${parts[1]}`,
+            kind: EDGE_KIND.heuristicContainer,
+            direction: "undirected",
+            confidence: CONTAINER_EDGE_CONFIDENCE,
+            reason: "Path hierarchy suggests shared module ownership.",
+        }),
+    ];
+}
+/**
+ * Heuristic security edge: an auth-named (non-session) file is linked to every
+ * session-named file by naming convention, flagging likely auth↔session coupling.
+ */
+function extractHeuristicAuthSessionEdges(filePath, repoManifest, dispositionMap) {
+    const normalized = filePath.toLowerCase();
+    if (!(normalized.includes("auth") && normalized.includes("session") === false)) {
+        return [];
+    }
+    const edges = [];
+    for (const other of repoManifest.files) {
+        if (other.path === filePath)
+            continue;
+        const otherStatus = dispositionMap.get(other.path);
+        if (otherStatus && isAuditExcludedStatus(otherStatus))
+            continue;
+        if (other.path.toLowerCase().includes("session")) {
+            edges.push(graphEdge({
+                from: filePath,
+                to: other.path,
+                kind: EDGE_KIND.heuristicAuthSession,
+                confidence: AUTH_SESSION_EDGE_CONFIDENCE,
+                reason: "Security-sensitive auth path appears coupled to a session path by naming convention.",
+            }));
+        }
+    }
+    return edges;
+}
+/**
+ * Run every content-driven edge extractor over one file's source, appending its
+ * import / call / reference / route edges into the accumulator. Mirrors the
+ * original inline body exactly (including push order) so the deduped/sorted
+ * result is byte-identical.
+ */
+function extractContentEdgesForFile(filePath, content, pathLookup, acc, fileRoutes) {
+    acc.imports.push(...extractImportEdges(filePath, content, pathLookup));
+    acc.imports.push(...extractPythonImportEdges(filePath, content, pathLookup));
+    acc.references.push(...extractReferenceEdges(filePath, content, pathLookup));
+    acc.references.push(...extractJsonSchemaReferenceEdges(filePath, content, pathLookup));
+    acc.references.push(...extractPackageEntrypointEdges(filePath, content, pathLookup));
+    acc.references.push(...extractChromeExtensionManifestEdges(filePath, content, pathLookup));
+    acc.references.push(...extractHtmlResourceEdges(filePath, content, pathLookup));
+    acc.references.push(...extractPackageScriptEdges(filePath, content, pathLookup));
+    acc.references.push(...extractWorkspacePackageEdges(filePath, content, pathLookup));
+    acc.references.push(...extractTypescriptProjectReferenceEdges(filePath, content, pathLookup));
+    acc.references.push(...extractGoWorkspaceModuleEdges(filePath, content, pathLookup));
+    acc.references.push(...extractCargoWorkspaceMemberEdges(filePath, content, pathLookup));
+    acc.references.push(...extractMavenModuleEdges(filePath, content, pathLookup));
+    acc.references.push(...extractPyprojectTestpathLinks(filePath, content, pathLookup));
+    acc.references.push(...extractYamlPathReferenceEdges(filePath, content, pathLookup));
+    acc.references.push(...extractSchemaContractTestEdges(filePath, content, pathLookup));
+    const registeredRoutes = extractRegisteredRouteEvidence(filePath, content, pathLookup);
+    acc.calls.push(...registeredRoutes.calls);
+    fileRoutes.push(...registeredRoutes.routes);
+    const frameworkRoutes = extractFrameworkRouteEvidence(filePath, content, pathLookup);
+    acc.calls.push(...frameworkRoutes.calls);
+    fileRoutes.push(...frameworkRoutes.routes);
+}
+/**
+ * Emit the OBS-003 graph-extraction metric. No RunLogger is in scope in this
+ * leaf extractor, so it uses the established structured-stderr summary
+ * (FINDING-012 pattern): node count, total edge count, and the number of
+ * non-empty graph types.
+ */
+function logGraphExtractionMetric(graphs) {
+    const edgeCount = graphs.imports.length +
+        graphs.calls.length +
+        graphs.references.length +
+        graphs.routes.length;
+    const nodes = new Set();
+    for (const edge of [...graphs.imports, ...graphs.calls, ...graphs.references]) {
+        nodes.add(edge.from);
+        nodes.add(edge.to);
+    }
+    for (const route of graphs.routes) {
+        nodes.add(route.path);
+        nodes.add(route.handler);
+    }
+    const graphTypeCount = [
+        graphs.imports,
+        graphs.calls,
+        graphs.references,
+        graphs.routes,
+    ].filter((edges) => edges.length > 0).length;
+    process.stderr.write(`[audit-code] graph: built bundle — ${nodes.size} nodes, ${edgeCount} edges across ${graphTypeCount} graph type(s)\n`);
+}
 export function buildGraphBundle(repoManifest, disposition, options = {}) {
-    const imports = [];
-    const calls = [];
-    const references = [];
-    const routes = [];
+    const acc = {
+        imports: [],
+        calls: [],
+        references: [],
+        routes: [],
+    };
     const dispositionMap = buildDispositionMap(disposition);
     const pathLookup = buildPathLookup(repoManifest, dispositionMap);
     for (const file of repoManifest.files) {
@@ -305,62 +421,12 @@ export function buildGraphBundle(repoManifest, disposition, options = {}) {
         if (file.excluded || (status && isAuditExcludedStatus(status))) {
             continue;
         }
-        const parts = file.path.split("/");
-        if (parts.length > 2) {
-            imports.push(graphEdge({
-                from: file.path,
-                to: `${parts[0]}/${parts[1]}`,
-                kind: "heuristic-container-edge",
-                direction: "undirected",
-                confidence: CONTAINER_EDGE_CONFIDENCE,
-                reason: "Path hierarchy suggests shared module ownership.",
-            }));
-        }
-        const normalized = file.path.toLowerCase();
-        if (normalized.includes("auth") &&
-            normalized.includes("session") === false) {
-            for (const other of repoManifest.files) {
-                if (other.path === file.path)
-                    continue;
-                const otherStatus = dispositionMap.get(other.path);
-                if (otherStatus && isAuditExcludedStatus(otherStatus))
-                    continue;
-                if (other.path.toLowerCase().includes("session")) {
-                    imports.push(graphEdge({
-                        from: file.path,
-                        to: other.path,
-                        kind: "heuristic-auth-session-link",
-                        confidence: AUTH_SESSION_EDGE_CONFIDENCE,
-                        reason: "Security-sensitive auth path appears coupled to a session path by naming convention.",
-                    }));
-                }
-            }
-        }
+        acc.imports.push(...extractHeuristicContainerEdges(file.path));
+        acc.imports.push(...extractHeuristicAuthSessionEdges(file.path, repoManifest, dispositionMap));
         const content = options.fileContents?.[file.path];
         const fileRoutes = [];
         if (content) {
-            imports.push(...extractImportEdges(file.path, content, pathLookup));
-            imports.push(...extractPythonImportEdges(file.path, content, pathLookup));
-            references.push(...extractReferenceEdges(file.path, content, pathLookup));
-            references.push(...extractJsonSchemaReferenceEdges(file.path, content, pathLookup));
-            references.push(...extractPackageEntrypointEdges(file.path, content, pathLookup));
-            references.push(...extractChromeExtensionManifestEdges(file.path, content, pathLookup));
-            references.push(...extractHtmlResourceEdges(file.path, content, pathLookup));
-            references.push(...extractPackageScriptEdges(file.path, content, pathLookup));
-            references.push(...extractWorkspacePackageEdges(file.path, content, pathLookup));
-            references.push(...extractTypescriptProjectReferenceEdges(file.path, content, pathLookup));
-            references.push(...extractGoWorkspaceModuleEdges(file.path, content, pathLookup));
-            references.push(...extractCargoWorkspaceMemberEdges(file.path, content, pathLookup));
-            references.push(...extractMavenModuleEdges(file.path, content, pathLookup));
-            references.push(...extractPyprojectTestpathLinks(file.path, content, pathLookup));
-            references.push(...extractYamlPathReferenceEdges(file.path, content, pathLookup));
-            references.push(...extractSchemaContractTestEdges(file.path, content, pathLookup));
-            const registeredRoutes = extractRegisteredRouteEvidence(file.path, content, pathLookup);
-            calls.push(...registeredRoutes.calls);
-            fileRoutes.push(...registeredRoutes.routes);
-            const frameworkRoutes = extractFrameworkRouteEvidence(file.path, content, pathLookup);
-            calls.push(...frameworkRoutes.calls);
-            fileRoutes.push(...frameworkRoutes.routes);
+            extractContentEdgesForFile(file.path, content, pathLookup, acc, fileRoutes);
         }
         fileRoutes.push(...extractConventionalRouteEvidence(file.path, content));
         if (fileRoutes.length === 0) {
@@ -369,18 +435,18 @@ export function buildGraphBundle(repoManifest, disposition, options = {}) {
                 fileRoutes.push(fallbackRoute);
             }
         }
-        routes.push(...fileRoutes);
-        references.push(...extractTestSourceEdges(file.path, pathLookup));
+        acc.routes.push(...fileRoutes);
+        acc.references.push(...extractTestSourceEdges(file.path, pathLookup));
     }
-    references.push(...extractAnalyzerOwnershipEdges(options.externalAnalyzerResults, pathLookup));
-    references.push(...extractPytestConftestLinks(pathLookup));
-    references.push(...extractBoundedSuiteEdges(pathLookup, options.fileContents ?? {}, references));
-    return {
-        graphs: {
-            imports: uniqueSortedEdges(imports),
-            calls: uniqueSortedEdges(calls),
-            references: uniqueSortedEdges(references),
-            routes: uniqueSortedRoutes(routes),
-        },
+    acc.references.push(...extractAnalyzerOwnershipEdges(options.externalAnalyzerResults, pathLookup));
+    acc.references.push(...extractPytestConftestLinks(pathLookup));
+    acc.references.push(...extractBoundedSuiteEdges(pathLookup, options.fileContents ?? {}, acc.references));
+    const graphs = {
+        imports: uniqueSortedEdges(acc.imports),
+        calls: uniqueSortedEdges(acc.calls),
+        references: uniqueSortedEdges(acc.references),
+        routes: uniqueSortedRoutes(acc.routes),
     };
+    logGraphExtractionMetric(graphs);
+    return { graphs };
 }

package/dist/extractors/pathPatterns.js

@@ -136,6 +136,15 @@ function splitSegments(normalized) {
 function hasSegment(normalized, segment) {
     return splitSegments(normalized).includes(segment);
 }
+/**
+ * True when any of `segments` appears as a path segment. Splits the path once
+ * and tests all candidates against that single set, instead of re-splitting per
+ * segment as repeated `hasSegment` calls would.
+ */
+function hasAnySegment(normalized, segments) {
+    const present = new Set(splitSegments(normalized));
+    return segments.some((segment) => present.has(segment));
+}
 function includesAny(normalized, values) {
     return values.some((value) => normalized.includes(value));
 }
@@ -208,13 +217,16 @@ export function isTestPath(normalized) {
 export function isInterfacePath(normalized) {
     return hasToken(normalized, INTERFACE_KEYWORDS) || hasSegment(normalized, "api");
 }
+const DATA_LAYER_SEGMENTS = [
+    "models",
+    "schemas",
+    "migrations",
+    "seeds",
+    "db",
+];
 export function isDataLayerPath(normalized) {
     return (hasToken(normalized, DATA_LAYER_KEYWORDS) ||
-        hasSegment(normalized, "models") ||
-        hasSegment(normalized, "schemas") ||
-        hasSegment(normalized, "migrations") ||
-        hasSegment(normalized, "seeds") ||
-        hasSegment(normalized, "db"));
+        hasAnySegment(normalized, DATA_LAYER_SEGMENTS));
 }
 export function isSecuritySensitivePath(normalized) {
     return hasToken(normalized, SECURITY_KEYWORDS);

package/dist/io/runArtifactTypes.d.ts

@@ -0,0 +1,18 @@
+export interface RunPaths {
+    runDir: string;
+    taskPath: string;
+    promptPath: string;
+    resultPath: string;
+    stdoutPath: string;
+    stderrPath: string;
+    statusPath: string;
+}
+export interface DispatchBatchRun {
+    run_id: string;
+    task_path: string;
+    prompt_path: string;
+    result_path: string;
+    status_path: string;
+    audit_results_path?: string;
+    pending_audit_tasks_path?: string;
+}

package/dist/io/runArtifactTypes.js

@@ -0,0 +1 @@
+export {};

package/dist/io/runArtifacts.d.ts

@@ -1,23 +1,7 @@
 import type { AuditTask } from "../types.js";
 import type { WorkerTask } from "../types/workerSession.js";
-export interface RunPaths {
-    runDir: string;
-    taskPath: string;
-    promptPath: string;
-    resultPath: string;
-    stdoutPath: string;
-    stderrPath: string;
-    statusPath: string;
-}
-export interface DispatchBatchRun {
-    run_id: string;
-    task_path: string;
-    prompt_path: string;
-    result_path: string;
-    status_path: string;
-    audit_results_path?: string;
-    pending_audit_tasks_path?: string;
-}
+import type { RunPaths, DispatchBatchRun } from "./runArtifactTypes.js";
+export type { RunPaths, DispatchBatchRun } from "./runArtifactTypes.js";
 export declare function buildRunId(obligationId: string | null, index: number, now?: Date): string;
 export declare function getRunPaths(artifactsDir: string, runId: string): RunPaths;
 export declare function ensureSupervisorDirs(artifactsDir: string): Promise<void>;