auditor-lambda 0.8.0 → 0.9.0

package/dist/io/runArtifacts.js

@@ -61,6 +61,10 @@ export async function ensureSupervisorDirs(artifactsDir) {
 }
 async function writeDispatchSchemaFiles(artifactsDir) {
     const dispatchDir = join(artifactsDir, "dispatch");
+    // Ensure the dispatch dir exists: this is now written before the pointer
+    // files (which formerly created it), and parallel-slot dispatch may reach
+    // here before the canonical dispatch has run.
+    await mkdir(dispatchDir, { recursive: true });
     await writeFile(join(dispatchDir, CURRENT_SCHEMA_FILENAME), await readFile(auditResultSchemaPath, "utf8"), "utf8");
     await writeFile(join(dispatchDir, CURRENT_RESULTS_SCHEMA_FILENAME), await readFile(auditResultsSchemaPath, "utf8"), "utf8");
     await writeFile(join(dispatchDir, CURRENT_FINDING_SCHEMA_FILENAME), await readFile(findingSchemaPath, "utf8"), "utf8");
@@ -116,15 +120,22 @@ export async function writeWorkerTaskFiles(task, prompt, paths, artifactsDir, cu
         run_id: task.run_id,
         status: "dispatched",
     });
-    if (options.updateDispatch === false) {
-        await writeDispatchSchemaFiles(artifactsDir);
+    // The result schema files are always required by the worker, regardless of
+    // whether this run owns the shared "current dispatch" pointer files.
+    await writeDispatchSchemaFiles(artifactsDir);
+    // Parallel-slot dispatch passes updateDispatch:false so each slot does NOT
+    // clobber the shared current-task / current-prompt / current-tasks pointers
+    // (only the single canonical dispatch should own them). The default path
+    // (updateDispatch unset/true) refreshes those pointers and the single-task
+    // fallback.
+    const updateDispatch = options.updateDispatch !== false;
+    if (!updateDispatch) {
         return;
     }
     await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASK_FILENAME), task);
     await writeFile(join(artifactsDir, "dispatch", CURRENT_PROMPT_FILENAME), prompt, "utf8");
     await writeJsonFile(join(artifactsDir, "dispatch", CURRENT_TASKS_FILENAME), currentTasks ?? []);
     await writeSingleTaskFallbackFiles(artifactsDir, task, currentTasks);
-    await writeDispatchSchemaFiles(artifactsDir);
 }
 export async function writeDispatchBatchFiles(artifactsDir, runs, currentTasks) {
     const summary = {

package/dist/mcp/server.js

@@ -125,6 +125,7 @@ async function runWrapperCommand(args, options) {
         });
     });
 }
+const SUBPROCESS_STDERR_TAIL_CHARS = 2000;
 async function parseCliJson(args, options, allowNonZero = false) {
     const result = await runWrapperCommand(args, options);
     const combined = result.stdout.trim() || result.stderr.trim();
@@ -134,6 +135,14 @@ async function parseCliJson(args, options, allowNonZero = false) {
     if (combined.length === 0) {
         throw new Error("Command completed without JSON output.");
     }
+    // On a successful (or tolerated-nonzero) call we parse stdout for the JSON
+    // payload and otherwise discard stderr. Surface any captured stderr as a
+    // tail so subprocess diagnostics (warnings, structured stderr lines) are not
+    // lost when the command still succeeded.
+    const stderrTail = result.stderr.trim();
+    if (stderrTail.length > 0) {
+        process.stderr.write(`[audit-code] mcp: subprocess stderr: ${stderrTail.slice(-SUBPROCESS_STDERR_TAIL_CHARS)}\n`);
+    }
     try {
         return JSON.parse(result.stdout);
     }

package/dist/orchestrator/advance.js

@@ -1,13 +1,28 @@
 import { decideNextStep, findObligation } from "./nextStep.js";
 import { deriveAuditState } from "./state.js";
 import { computeArtifactMetadata } from "./artifactMetadata.js";
-import { runIntakeExecutor, runStructureExecutor, runPlanningExecutor, runResultIngestionExecutor, runRuntimeValidationExecutor, runRuntimeValidationUpdateExecutor, runDesignAssessmentExecutor, runDesignReviewAutoComplete, runExternalAnalyzerImportExecutor, } from "./internalExecutors.js";
+import { runIntakeExecutor } from "./intakeExecutors.js";
+import { runStructureExecutor, runDesignAssessmentExecutor, runDesignReviewAutoComplete, } from "./structureExecutors.js";
+import { runPlanningExecutor } from "./planningExecutors.js";
+import { runResultIngestionExecutor, runRuntimeValidationExecutor, runRuntimeValidationUpdateExecutor, runExternalAnalyzerImportExecutor, } from "./ingestionExecutors.js";
 import { runSynthesisExecutor, runSynthesisNarrativeExecutor, } from "./synthesisExecutors.js";
 import { runAutoFixExecutor } from "./autoFixExecutor.js";
 import { runSyntaxResolutionExecutor } from "./syntaxResolutionExecutor.js";
 import { runGraphEnrichmentExecutor } from "./graphEnrichmentExecutor.js";
 import { resolveAuditScope } from "./scope.js";
 import { RunLogger } from "@audit-tools/shared";
+/**
+ * Narrow an optional root to a definite string for an executor that requires
+ * it, throwing the canonical "advanceAudit <executor> requires root" error
+ * otherwise. Replaces the guard previously copy-pasted across every
+ * root-dependent executor branch below.
+ */
+function requireRoot(root, executorName) {
+    if (!root) {
+        throw new Error(`advanceAudit ${executorName} requires root`);
+    }
+    return root;
+}
 function cloneState(state) {
     return {
         ...state,
@@ -64,11 +79,11 @@ export async function advanceAudit(bundle, options = {}) {
     });
     try {
         switch (selectedExecutor) {
-            case "intake_executor":
-                if (!options.root)
-                    throw new Error("advanceAudit intake_executor requires root");
-                run = await runIntakeExecutor(bundle, options.root);
+            case "intake_executor": {
+                const root = requireRoot(options.root, "intake_executor");
+                run = await runIntakeExecutor(bundle, root);
                 break;
+            }
             case "structure_executor":
                 run = await runStructureExecutor(bundle, options.root);
                 break;
@@ -86,26 +101,26 @@ export async function advanceAudit(bundle, options = {}) {
             case "design_review":
                 run = runDesignReviewAutoComplete(bundle);
                 break;
-            case "planning_executor":
-                if (!options.root)
-                    throw new Error("advanceAudit planning_executor requires root");
+            case "planning_executor": {
+                const root = requireRoot(options.root, "planning_executor");
                 plannedScope = resolveAuditScope({
-                    root: options.root,
+                    root,
                     since: options.since,
                     bundle,
                 });
-                run = await runPlanningExecutor(bundle, options.root, options.lineIndex ?? {}, options.sizeIndex, plannedScope);
+                run = await runPlanningExecutor(bundle, root, options.lineIndex ?? {}, options.sizeIndex, plannedScope);
                 break;
+            }
             case "result_ingestion_executor":
                 run = runResultIngestionExecutor(bundle, options.auditResults ?? bundle.audit_results ?? []);
                 break;
-            case "runtime_validation_executor":
-                if (!options.root)
-                    throw new Error("advanceAudit runtime_validation_executor requires root");
-                run = await runRuntimeValidationExecutor(bundle, options.root, {
+            case "runtime_validation_executor": {
+                const root = requireRoot(options.root, "runtime_validation_executor");
+                run = await runRuntimeValidationExecutor(bundle, root, {
                     opentoken: options.opentoken,
                 });
                 break;
+            }
             case "synthesis_executor":
                 run = runSynthesisExecutor(bundle, options.auditResults);
                 break;
@@ -122,16 +137,16 @@ export async function advanceAudit(bundle, options = {}) {
                     throw new Error("advanceAudit external_analyzer_import_executor requires externalAnalyzerResults");
                 run = runExternalAnalyzerImportExecutor(bundle, options.externalAnalyzerResults);
                 break;
-            case "auto_fix_executor":
-                if (!options.root)
-                    throw new Error("advanceAudit auto_fix_executor requires root");
-                run = runAutoFixExecutor(bundle, options.root);
+            case "auto_fix_executor": {
+                const root = requireRoot(options.root, "auto_fix_executor");
+                run = await runAutoFixExecutor(bundle, root);
                 break;
-            case "syntax_resolution_executor":
-                if (!options.root)
-                    throw new Error("advanceAudit syntax_resolution_executor requires root");
-                run = runSyntaxResolutionExecutor(bundle, options.root);
+            }
+            case "syntax_resolution_executor": {
+                const root = requireRoot(options.root, "syntax_resolution_executor");
+                run = runSyntaxResolutionExecutor(bundle, root);
                 break;
+            }
             default: {
                 const state = deriveAuditState(bundle);
                 state.last_executor = selectedExecutor;

package/dist/orchestrator/artifactFreshness.js

@@ -1,5 +1,5 @@
 import { createHash } from "node:crypto";
-import { ARTIFACT_DEPENDENCY_MAP } from "./dependencyMap.js";
+import { ARTIFACT_DEPENDENTS_MAP } from "./dependencyMap.js";
 export function stableStringify(value) {
     if (value === undefined) {
         return "null";
@@ -44,7 +44,7 @@ export function hashArtifactValue(artifactName, value) {
 }
 export function buildReverseDependencyMap() {
     const reverse = {};
-    for (const [upstream, downstreamList] of Object.entries(ARTIFACT_DEPENDENCY_MAP)) {
+    for (const [upstream, downstreamList] of Object.entries(ARTIFACT_DEPENDENTS_MAP)) {
         reverse[upstream] ??= [];
         for (const downstream of downstreamList) {
             reverse[downstream] ??= [];

package/dist/orchestrator/autoFixExecutor.d.ts

@@ -1,3 +1,3 @@
 import type { ArtifactBundle } from "../io/artifacts.js";
 import type { ExecutorRunResult } from "./executorResult.js";
-export declare function runAutoFixExecutor(bundle: ArtifactBundle, root: string): ExecutorRunResult;
+export declare function runAutoFixExecutor(bundle: ArtifactBundle, root: string): Promise<ExecutorRunResult>;

package/dist/orchestrator/autoFixExecutor.js

@@ -1,4 +1,4 @@
-import { existsSync, readFileSync } from "node:fs";
+import { access, readFile } from "node:fs/promises";
 import { join } from "node:path";
 import { isAuditExcludedStatus } from "../extractors/disposition.js";
 import { resolveNodeTool, runFirstAvailableCommand, } from "./localCommands.js";
@@ -19,23 +19,31 @@ const PRETTIER_CONFIG_FILES = [
     "prettier.config.cjs",
     "prettier.config.mjs",
 ];
-function hasPrettierConfig(root) {
-    if (PRETTIER_CONFIG_FILES.some((file) => existsSync(join(root, file)))) {
+async function pathExists(target) {
+    try {
+        await access(target);
         return true;
     }
-    const packageJsonPath = join(root, "package.json");
-    if (!existsSync(packageJsonPath)) {
+    catch {
         return false;
     }
+}
+async function hasPrettierConfig(root) {
+    const configChecks = await Promise.all(PRETTIER_CONFIG_FILES.map((file) => pathExists(join(root, file))));
+    if (configChecks.some(Boolean)) {
+        return true;
+    }
+    const packageJsonPath = join(root, "package.json");
     try {
-        const packageJson = JSON.parse(readFileSync(packageJsonPath, "utf8"));
+        const packageJson = JSON.parse(await readFile(packageJsonPath, "utf8"));
         return packageJson.prettier !== undefined;
     }
     catch {
+        // Missing package.json or unparseable JSON => no prettier config.
         return false;
     }
 }
-export function runAutoFixExecutor(bundle, root) {
+export async function runAutoFixExecutor(bundle, root) {
     if (!bundle.file_disposition) {
         throw new Error("Cannot run auto fix executor without file_disposition");
     }
@@ -51,7 +59,7 @@ export function runAutoFixExecutor(bundle, root) {
     const executedTools = [];
     const toolTimings = [];
     // JS, TS, HTML, CSS, JSON, YAML, MD
-    if (hasPrettierConfig(root) &&
+    if ((await hasPrettierConfig(root)) &&
         (extensions.has("ts") ||
             extensions.has("js") ||
             extensions.has("tsx") ||

package/dist/orchestrator/dependencyMap.d.ts

@@ -1 +1 @@
-export declare const ARTIFACT_DEPENDENCY_MAP: Record<string, string[]>;
+export declare const ARTIFACT_DEPENDENTS_MAP: Record<string, string[]>;

package/dist/orchestrator/dependencyMap.js

@@ -1,4 +1,10 @@
-export const ARTIFACT_DEPENDENCY_MAP = {
+// Invalidation map keyed by UPSTREAM artifact → the list of DOWNSTREAM
+// artifacts that depend on it (and so become stale when it changes). The name
+// reflects the actual direction: each entry's value is that key's *dependents*.
+// `buildReverseDependencyMap` flips this to the "X depends on Y" view used by
+// computeArtifactMetadata. (Renamed from the misleading ARTIFACT_DEPENDENCY_MAP,
+// which read as "X's dependencies" — the opposite of what it stores.)
+export const ARTIFACT_DEPENDENTS_MAP = {
     "tooling_manifest.json": [
         "repo_manifest.json",
     ],

package/dist/orchestrator/fileAnchors.js

@@ -1,3 +1,11 @@
+/**
+ * Graph buckets in `graph_bundle.json` that carry file-to-file edges relevant to
+ * large-file anchoring. Named here (rather than inlined as bare strings in the
+ * collection loop) so the set of scanned buckets is a single typed source of
+ * truth and each bucket key doubles as a typed fallback edge `kind`. `as const`
+ * narrows the element type from `string` to the literal union.
+ */
+const GRAPH_EDGE_BUCKETS = ["imports", "calls", "references"];
 const MAX_ANCHORS = 160;
 const KEYWORD_PATTERN = /\b(auth|token|password|secret|permission|role|sql|query|exec|spawn|eval|deserialize|encrypt|decrypt|cache|retry|timeout|transaction|lock|race|TODO|FIXME)\b/i;
 const SYMBOL_PATTERNS = [
@@ -85,8 +93,11 @@ function collectGraphEdges(graphBundle, path) {
     }
     const normalizedPath = normalizePath(path).toLowerCase();
     const edges = [];
-    for (const key of ["imports", "calls", "references"]) {
-        const raw = graphBundle.graphs[key];
+    // Typed as `string` (not the literal union) so the lookup resolves through the
+    // `[key: string]: unknown` index signature on `graphs` — the loop body then
+    // re-validates each entry's shape, matching the original deterministic parse.
+    for (const bucket of GRAPH_EDGE_BUCKETS) {
+        const raw = graphBundle.graphs[bucket];
         if (!Array.isArray(raw)) {
             continue;
         }
@@ -103,7 +114,7 @@ function collectGraphEdges(graphBundle, path) {
                     edges.push({
                         from: record.from,
                         to: record.to,
-                        kind: typeof record.kind === "string" ? record.kind : key,
+                        kind: typeof record.kind === "string" ? record.kind : bucket,
                     });
                 }
             }

package/dist/orchestrator/flowCoverage.js

@@ -6,6 +6,7 @@ function lensSetForFlow(concerns) {
         "data_integrity",
         "operability",
         "performance",
+        "observability",
     ];
     return concerns.filter((concern) => allowed.includes(concern));
 }

package/dist/orchestrator/flowRequeue.js

@@ -45,8 +45,11 @@ export function buildFlowRequeueTasks(criticalFlows, flowCoverage, coverageMatri
             ? flow.paths.filter((path) => typeof path === "string")
             : [];
         for (const lensName of missingLenses) {
+            // Skip (rather than throw on) an unsupported lens value, consistent with
+            // the filter-based lens guards elsewhere in the orchestrator: a stray
+            // non-canonical lens in flow coverage should not abort the whole requeue.
             if (!isLens(lensName)) {
-                throw new Error(`buildFlowRequeueTasks encountered unsupported lens "${String(lensName)}" for flow ${record.flow_id}.`);
+                continue;
             }
             for (const path of flowPaths) {
                 if (!fileStillNeedsLens(coverageByPath, path, lensName)) {

package/dist/orchestrator/{internalExecutors.d.ts → ingestionExecutors.d.ts}

@@ -2,13 +2,7 @@ import type { ArtifactBundle } from "../io/artifacts.js";
 import type { AuditResult } from "../types.js";
 import type { RuntimeValidationReport } from "../types/runtimeValidation.js";
 import type { ExternalAnalyzerResults } from "../types/externalAnalyzer.js";
-import type { AuditScopeManifest } from "../types/auditScope.js";
 import type { ExecutorRunResult } from "./executorResult.js";
-export declare function runIntakeExecutor(bundle: ArtifactBundle, root: string): Promise<ExecutorRunResult>;
-export declare function runStructureExecutor(bundle: ArtifactBundle, root?: string): Promise<ExecutorRunResult>;
-export declare function runDesignAssessmentExecutor(bundle: ArtifactBundle): ExecutorRunResult;
-export declare function runDesignReviewAutoComplete(bundle: ArtifactBundle): ExecutorRunResult;
-export declare function runPlanningExecutor(bundle: ArtifactBundle, root: string, lineIndex?: Record<string, number>, sizeIndex?: Record<string, number>, scope?: AuditScopeManifest): Promise<ExecutorRunResult>;
 export declare function runResultIngestionExecutor(bundle: ArtifactBundle, results: AuditResult[]): ExecutorRunResult;
 export declare function runRuntimeValidationExecutor(bundle: ArtifactBundle, root: string, options?: {
     opentoken?: boolean;

package/dist/orchestrator/ingestionExecutors.js

@@ -0,0 +1,237 @@
+import { runCommand } from "./runtimeCommand.js";
+import { buildFlowCoverage } from "./flowCoverage.js";
+import { buildRequeuePayload } from "./requeueCommand.js";
+import { buildRuntimeValidationTasks, mergeRuntimeValidationReport, } from "./runtimeValidation.js";
+import { ingestAuditResults, updateAuditTaskStatuses, } from "./resultIngestion.js";
+import { buildAuditPlanMetrics, buildReviewPackets, sizeIndexFromManifest, } from "./reviewPackets.js";
+import { updateRuntimeValidationReport } from "./runtimeValidationUpdate.js";
+import { buildSelectiveDeepeningTasks } from "./selectiveDeepening.js";
+function lineIndexFromTasks(tasks) {
+    return Object.fromEntries((tasks ?? []).flatMap((task) => Object.entries(task.file_line_counts ?? {})));
+}
+function appendSelectiveDeepeningTasks(params) {
+    if (!params.bundle.audit_tasks) {
+        return { bundle: params.bundle, taskCount: 0, artifacts: [] };
+    }
+    const lineIndex = lineIndexFromTasks(params.bundle.audit_tasks);
+    const sizeIndex = sizeIndexFromManifest(params.bundle.repo_manifest);
+    const selectiveDeepeningTasks = buildSelectiveDeepeningTasks({
+        existingTasks: params.bundle.audit_tasks,
+        results: params.results,
+        lineIndex,
+        runtimeValidationTasks: params.bundle.runtime_validation_tasks,
+        runtimeValidationReport: params.runtimeValidationReport ?? params.bundle.runtime_validation_report,
+        externalAnalyzerResults: params.bundle.external_analyzer_results,
+    });
+    if (selectiveDeepeningTasks.length === 0) {
+        return { bundle: params.bundle, taskCount: 0, artifacts: [] };
+    }
+    const auditTasks = [...params.bundle.audit_tasks, ...selectiveDeepeningTasks];
+    return {
+        bundle: {
+            ...params.bundle,
+            audit_tasks: auditTasks,
+            audit_plan_metrics: buildAuditPlanMetrics(auditTasks, {
+                graphBundle: params.bundle.graph_bundle,
+                lineIndex,
+                sizeIndex,
+            }),
+            review_packets: buildReviewPackets(auditTasks, {
+                graphBundle: params.bundle.graph_bundle,
+                lineIndex,
+                sizeIndex,
+            }),
+        },
+        taskCount: selectiveDeepeningTasks.length,
+        artifacts: ["audit_tasks.json", "audit_plan_metrics.json", "review_packets.json"],
+    };
+}
+/**
+ * Apply selective deepening to an already-prepared base bundle and return the
+ * pieces every executor needs to assemble its `ExecutorRunResult`: the updated
+ * bundle, the deepening artifacts, and the progress-summary suffix.
+ *
+ * Centralizing this keeps the three executors that run deepening consistent —
+ * previously each site invoked `appendSelectiveDeepeningTasks` and then
+ * re-derived the same `Added N selective deepening task(s)` suffix by hand.
+ * `excludeArtifacts` lets a caller that already lists an artifact explicitly
+ * (the result-ingestion executor lists `audit_tasks.json`) drop it from the
+ * spread so it is never double-counted.
+ */
+function applySelectiveDeepening(params) {
+    const selectiveDeepening = appendSelectiveDeepeningTasks({
+        bundle: params.baseBundle,
+        results: params.results,
+        runtimeValidationReport: params.runtimeValidationReport,
+    });
+    const exclude = new Set(params.excludeArtifacts ?? []);
+    return {
+        bundle: selectiveDeepening.bundle,
+        artifacts: selectiveDeepening.artifacts.filter((artifact) => !exclude.has(artifact)),
+        summarySuffix: selectiveDeepening.taskCount > 0
+            ? ` Added ${selectiveDeepening.taskCount} selective deepening task(s).`
+            : "",
+    };
+}
+export function runResultIngestionExecutor(bundle, results) {
+    if (!bundle.coverage_matrix) {
+        throw new Error("Cannot ingest results without coverage_matrix");
+    }
+    const updatedCoverageMatrix = ingestAuditResults(bundle.coverage_matrix, results);
+    const flowCoverage = bundle.critical_flows
+        ? buildFlowCoverage(bundle.critical_flows, updatedCoverageMatrix)
+        : bundle.flow_coverage;
+    const runtimeCommand = bundle.runtime_validation_tasks?.tasks.find((task) => task.command && task.command.length > 0)?.command;
+    const runtimeValidationTasks = bundle.unit_manifest && flowCoverage
+        ? buildRuntimeValidationTasks({
+            unitManifest: bundle.unit_manifest,
+            criticalFlows: bundle.critical_flows,
+            flowCoverage,
+            command: runtimeCommand,
+        })
+        : bundle.runtime_validation_tasks;
+    const runtimeValidationReport = runtimeValidationTasks
+        ? mergeRuntimeValidationReport(runtimeValidationTasks, bundle.runtime_validation_report)
+        : bundle.runtime_validation_report;
+    const mergedResults = [...(bundle.audit_results ?? []), ...results];
+    const completedAuditTasks = updateAuditTaskStatuses(bundle.audit_tasks, mergedResults);
+    const baseUpdatedBundle = {
+        ...bundle,
+        coverage_matrix: updatedCoverageMatrix,
+        flow_coverage: flowCoverage,
+        runtime_validation_tasks: runtimeValidationTasks,
+        runtime_validation_report: runtimeValidationReport,
+        audit_results: mergedResults,
+        audit_tasks: completedAuditTasks,
+        audit_report: undefined,
+    };
+    const selectiveDeepening = applySelectiveDeepening({
+        baseBundle: baseUpdatedBundle,
+        results: mergedResults,
+        runtimeValidationReport,
+        excludeArtifacts: ["audit_tasks.json"],
+    });
+    const requeuePayload = buildRequeuePayload(updatedCoverageMatrix, selectiveDeepening.bundle.critical_flows, selectiveDeepening.bundle.flow_coverage, selectiveDeepening.bundle.external_analyzer_results);
+    const finalBundle = {
+        ...selectiveDeepening.bundle,
+        requeue_tasks: requeuePayload.tasks,
+    };
+    return {
+        updated: finalBundle,
+        artifacts_written: [
+            "coverage_matrix.json",
+            "flow_coverage.json",
+            ...(runtimeValidationTasks ? ["runtime_validation_tasks.json"] : []),
+            ...(runtimeValidationReport ? ["runtime_validation_report.json"] : []),
+            "audit_results.jsonl",
+            "audit_tasks.json",
+            ...selectiveDeepening.artifacts,
+            "requeue_tasks.json",
+        ],
+        progress_summary: `Ingested ${results.length} audit result entries and refreshed dependent artifacts.` +
+            selectiveDeepening.summarySuffix,
+    };
+}
+export async function runRuntimeValidationExecutor(bundle, root, options = {}) {
+    if (!bundle.runtime_validation_tasks) {
+        throw new Error("Cannot execute runtime validation without runtime_validation_tasks");
+    }
+    const existing = bundle.runtime_validation_report ?? { results: [] };
+    const byTaskId = new Map(existing.results.map((result) => [result.task_id, result]));
+    const byCommand = new Map();
+    for (const task of bundle.runtime_validation_tasks.tasks) {
+        const prior = byTaskId.get(task.id);
+        if (prior &&
+            ["confirmed", "not_confirmed", "inconclusive", "not_required"].includes(prior.status)) {
+            continue;
+        }
+        if (!task.command || task.command.length === 0) {
+            byTaskId.set(task.id, {
+                task_id: task.id,
+                status: "not_required",
+                summary: `No deterministic runtime command was available for ${task.id}.`,
+                evidence: [],
+                notes: ["Runtime validation was not planned for this task."],
+            });
+            continue;
+        }
+        const signature = task.command.join("\0");
+        const outcome = byCommand.get(signature) ?? (await runCommand(task.command, root, { opentoken: options.opentoken }));
+        byCommand.set(signature, outcome);
+        byTaskId.set(task.id, {
+            task_id: task.id,
+            status: outcome.status,
+            summary: outcome.summary,
+            evidence: outcome.evidence,
+            notes: [`Target paths: ${task.target_paths.join(", ")}`],
+        });
+    }
+    const runtimeValidationReport = {
+        results: [...byTaskId.values()].sort((a, b) => a.task_id.localeCompare(b.task_id)),
+    };
+    const baseUpdatedBundle = {
+        ...bundle,
+        runtime_validation_report: runtimeValidationReport,
+        audit_report: undefined,
+    };
+    const selectiveDeepening = applySelectiveDeepening({
+        baseBundle: baseUpdatedBundle,
+        results: bundle.audit_results ?? [],
+        runtimeValidationReport,
+    });
+    return {
+        updated: selectiveDeepening.bundle,
+        artifacts_written: [
+            "runtime_validation_report.json",
+            ...selectiveDeepening.artifacts,
+        ],
+        progress_summary: `Executed deterministic runtime validation for ${bundle.runtime_validation_tasks.tasks.length} task(s).` +
+            selectiveDeepening.summarySuffix,
+    };
+}
+export function runRuntimeValidationUpdateExecutor(bundle, updates) {
+    if (!bundle.runtime_validation_tasks) {
+        throw new Error("Cannot update runtime validation without runtime_validation_tasks");
+    }
+    const existingReport = bundle.runtime_validation_report ?? { results: [] };
+    const mergedReport = updateRuntimeValidationReport(bundle.runtime_validation_tasks, existingReport, updates);
+    const baseUpdatedBundle = {
+        ...bundle,
+        runtime_validation_report: mergedReport,
+        audit_report: undefined,
+    };
+    const selectiveDeepening = applySelectiveDeepening({
+        baseBundle: baseUpdatedBundle,
+        results: bundle.audit_results ?? [],
+        runtimeValidationReport: mergedReport,
+    });
+    return {
+        updated: selectiveDeepening.bundle,
+        artifacts_written: [
+            "runtime_validation_report.json",
+            ...selectiveDeepening.artifacts,
+        ],
+        progress_summary: `Merged ${updates.results.length} runtime validation updates.` +
+            selectiveDeepening.summarySuffix,
+    };
+}
+export function runExternalAnalyzerImportExecutor(bundle, externalResults) {
+    const summary = `Imported ${externalResults.results.length} normalized findings from ${externalResults.tool}.`;
+    return {
+        updated: {
+            ...bundle,
+            external_analyzer_results: externalResults,
+            coverage_matrix: undefined,
+            flow_coverage: undefined,
+            runtime_validation_tasks: undefined,
+            runtime_validation_report: undefined,
+            audit_tasks: undefined,
+            audit_plan_metrics: undefined,
+            review_packets: undefined,
+            requeue_tasks: undefined,
+            audit_report: undefined,
+        },
+        artifacts_written: ["external_analyzer_results.json"],
+        progress_summary: summary,
+    };
+}

package/dist/orchestrator/intakeExecutors.d.ts

@@ -0,0 +1,3 @@
+import type { ArtifactBundle } from "../io/artifacts.js";
+import type { ExecutorRunResult } from "./executorResult.js";
+export declare function runIntakeExecutor(bundle: ArtifactBundle, root: string): Promise<ExecutorRunResult>;

package/dist/orchestrator/intakeExecutors.js

@@ -0,0 +1,25 @@
+import { buildFileDisposition, isAuditExcludedStatus, } from "../extractors/disposition.js";
+import { buildRepoManifestFromFs } from "../extractors/fsIntake.js";
+import { loadIgnoreFile } from "../extractors/ignore.js";
+export async function runIntakeExecutor(bundle, root) {
+    const ignore = await loadIgnoreFile(root);
+    const repoManifest = await buildRepoManifestFromFs({
+        root,
+        ignore,
+        hash_files: true,
+    });
+    const disposition = buildFileDisposition(repoManifest);
+    const auditableCount = disposition.files.filter((file) => !isAuditExcludedStatus(file.status)).length;
+    if (auditableCount === 0) {
+        throw new Error(`No auditable files found in ${root}. The repository may be empty, generated-only, documentation-only, or filtered by .auditorignore.`);
+    }
+    return {
+        updated: {
+            ...bundle,
+            repo_manifest: repoManifest,
+            file_disposition: disposition,
+        },
+        artifacts_written: ["repo_manifest.json", "file_disposition.json"],
+        progress_summary: `Created intake artifacts for ${repoManifest.files.length} files.`,
+    };
+}

package/dist/orchestrator/planningExecutors.d.ts

@@ -0,0 +1,4 @@
+import type { ArtifactBundle } from "../io/artifacts.js";
+import type { AuditScopeManifest } from "../types/auditScope.js";
+import type { ExecutorRunResult } from "./executorResult.js";
+export declare function runPlanningExecutor(bundle: ArtifactBundle, root: string, lineIndex?: Record<string, number>, sizeIndex?: Record<string, number>, scope?: AuditScopeManifest): Promise<ExecutorRunResult>;