auditor-lambda 0.8.0 → 0.9.1

package/audit-code-wrapper-lib.mjs

@@ -1268,14 +1268,11 @@ async function createStoredZipBuffer(sourceDir) {
   return Buffer.concat([...localParts, centralDirectory, endOfCentralDirectory]);
 }
 
-async function buildClaudeDesktopBundle(root, results) {
-  const bundleRoot = join(root, '.audit-code', 'install', 'claude-desktop', 'bundle');
-  const serverRoot = join(bundleRoot, 'server');
-  const manifestPath = join(bundleRoot, 'manifest.json');
-  const serverEntrypointPath = join(serverRoot, 'index.js');
-  const dxtPath = join(root, '.audit-code', 'install', 'claude-desktop', 'auditor-lambda.dxt');
-  const mcpbPath = join(root, '.audit-code', 'install', 'claude-desktop', 'auditor-lambda.mcpb');
-
+// Copy the auditor's dist + schemas + skills + wrapper entrypoints (and, best
+// effort, the resolved @audit-tools/shared dist) into the Claude Desktop bundle
+// tree. Returns whether the bundle directory already existed (for the
+// created/updated result marker).
+async function copyClaudeDesktopBundleFiles(bundleRoot, serverRoot) {
   const bundleExisted = await fileExists(bundleRoot);
   await mkdir(serverRoot, { recursive: true });
   await cp(distEntry.replace(/dist[\\/]index\.js$/, 'dist'), join(bundleRoot, 'dist'), { recursive: true, force: true });
@@ -1300,9 +1297,13 @@ async function buildClaudeDesktopBundle(root, results) {
     // @audit-tools/shared not resolvable — bundle will use runtime resolution
   }
 
-  results.push({ path: bundleRoot, mode: bundleExisted ? 'updated' : 'created' });
+  return { bundleExisted };
+}
 
-  const serverEntry = [
+// Source for the bundle's server/index.js shim: it spawns the bundled
+// audit-code.mjs in MCP mode against the user-configured repo root.
+function renderClaudeDesktopServerEntry() {
+  return [
     "import { spawn } from 'node:child_process';",
     "import { dirname, join } from 'node:path';",
     "import { fileURLToPath } from 'node:url';",
@@ -1328,10 +1329,12 @@ async function buildClaudeDesktopBundle(root, results) {
     '});',
     '',
   ].join('\n');
+}
 
-  results.push(await writeGeneratedMarkdown(serverEntrypointPath, serverEntry));
-
-  const manifest = {
+// The DXT/MCPB manifest.json describing the bundled node MCP server and its
+// Claude Desktop user-config inputs.
+function buildClaudeDesktopManifest() {
+  return {
     manifest_version: '0.3',
     name: 'auditor-lambda',
     display_name: 'Auditor Lambda',
@@ -1386,8 +1389,26 @@ async function buildClaudeDesktopBundle(root, results) {
       },
     },
   };
+}
+
+// Orchestrates the Claude Desktop bundle: copy files, write the server shim and
+// manifest, then zip into the .dxt / .mcpb archives. Pushes each generated file
+// into `results`.
+async function buildClaudeDesktopBundle(root, results) {
+  const bundleRoot = join(root, '.audit-code', 'install', 'claude-desktop', 'bundle');
+  const serverRoot = join(bundleRoot, 'server');
+  const manifestPath = join(bundleRoot, 'manifest.json');
+  const serverEntrypointPath = join(serverRoot, 'index.js');
+  const dxtPath = join(root, '.audit-code', 'install', 'claude-desktop', 'auditor-lambda.dxt');
+  const mcpbPath = join(root, '.audit-code', 'install', 'claude-desktop', 'auditor-lambda.mcpb');
 
-  results.push(await writeGeneratedJson(manifestPath, manifest));
+  const { bundleExisted } = await copyClaudeDesktopBundleFiles(bundleRoot, serverRoot);
+  results.push({ path: bundleRoot, mode: bundleExisted ? 'updated' : 'created' });
+
+  results.push(
+    await writeGeneratedMarkdown(serverEntrypointPath, renderClaudeDesktopServerEntry()),
+  );
+  results.push(await writeGeneratedJson(manifestPath, buildClaudeDesktopManifest()));
 
   const archive = await createStoredZipBuffer(bundleRoot);
   results.push(await writeGeneratedBinary(dxtPath, archive));
@@ -2509,21 +2530,15 @@ async function ensureBootstrap(argv) {
   return payload;
 }
 
-async function installBootstrap(argv, options = {}) {
-  const host = (getFlag(argv, '--host') ?? DEFAULT_INSTALL_HOST).toLowerCase();
-  const root = resolve(getFlag(argv, '--root') ?? '.');
-  await assertDirectoryExists(root, 'Target repository root');
-  const profile = getInstallProfile(host);
-  const promptSource = await readFile(promptAssetPath, 'utf8');
-  const skillSource = (await readFile(skillAssetPath, 'utf8')).replace(/\r\n/g, '\n');
-  const { body: promptBody } = splitFrontmatter(promptSource);
+// Compute the full asset-path map for an install profile. Each per-host path is
+// gated on its profile flag (null when the host is not part of this profile).
+function buildInstallAssetPaths(root, profile) {
   const installedPromptPath = join(root, '.audit-code', 'install', INSTALLED_PROMPT_FILENAME);
-  const legacyInstalledPromptPath = join(root, '.audit-code', 'install', 'audit-code.prompt.md');
   const installedSkillPath = join(root, '.audit-code', 'install', 'SKILL.md');
   const installGuidePath = join(root, '.audit-code', 'install', INSTALL_GUIDE_FILENAME);
   const installManifestPath = join(root, '.audit-code', 'install', INSTALL_MANIFEST_FILENAME);
   const mcpLauncherPath = join(root, '.audit-code', 'install', MCP_LAUNCHER_FILENAME);
-  const assetPaths = {
+  return {
     installedPromptPath,
     installedSkillPath,
     installGuidePath,
@@ -2579,144 +2594,149 @@ async function installBootstrap(argv, options = {}) {
       ? join(root, '.agent', 'skills', 'audit-code', 'SKILL.md')
       : null,
   };
+}
 
+// Always-written core assets (installed prompt + skill, shared MCP launcher,
+// AGENTS/copilot compatibility directive blocks) plus legacy-surface cleanup.
+async function writeCoreInstallAssets(root, assetPaths, promptSource, skillSource) {
   const results = [];
+  const legacyInstalledPromptPath = join(root, '.audit-code', 'install', 'audit-code.prompt.md');
   if (await fileExists(legacyInstalledPromptPath)) {
     await unlink(legacyInstalledPromptPath).catch(() => {});
   }
+  results.push(await writeGeneratedMarkdown(assetPaths.installedPromptPath, promptSource));
+  results.push(await writeGeneratedMarkdown(assetPaths.installedSkillPath, skillSource));
   results.push(
-    await writeGeneratedMarkdown(
-      installedPromptPath,
-      promptSource,
-    ),
-  );
-  results.push(await writeGeneratedMarkdown(installedSkillPath, skillSource));
-
-  results.push(
-    await writeGeneratedMarkdown(mcpLauncherPath, renderSharedMcpLauncher(repoRoot)),
+    await writeGeneratedMarkdown(assetPaths.mcpLauncherPath, renderSharedMcpLauncher(repoRoot)),
   );
 
   const compatibilityBlockTargets = [
     assetPaths.agentsInstructionsPath,
     assetPaths.copilotInstructionsPath,
   ].filter(Boolean);
-
   for (const targetPath of compatibilityBlockTargets) {
     results.push(
       await writeManagedMarkdown(
         targetPath,
         buildInstallDirective(
-          relative(dirname(targetPath), installedPromptPath) || `./.audit-code/install/${INSTALLED_PROMPT_FILENAME}`,
+          relative(dirname(targetPath), assetPaths.installedPromptPath) || `./.audit-code/install/${INSTALLED_PROMPT_FILENAME}`,
         ),
       ),
     );
   }
 
   results.push(...await removeLegacyAuditCodeSurfaceFiles(root));
+  return results;
+}
 
-  if (profile.writeCodex) {
-    results.push(
-      await writeGeneratedMarkdown(
-        assetPaths.codexSkillPath,
-        skillSource,
-      ),
-    );
-    results.push(
-      await writeGeneratedMarkdown(
-        assetPaths.codexPromptPath,
-        promptSource,
-      ),
-    );
-    results.push(
-      await writeGeneratedMarkdown(
-        assetPaths.codexMcpSetupPath,
-        renderCodexMcpSetupGuide(root),
-      ),
-    );
-    results.push(
-      await writeGeneratedMarkdown(
-        assetPaths.codexAutomationRecipePath,
-        renderCodexAutomationRecipe(),
+async function writeCodexAssets(assetPaths, promptSource, skillSource, root) {
+  return [
+    await writeGeneratedMarkdown(assetPaths.codexSkillPath, skillSource),
+    await writeGeneratedMarkdown(assetPaths.codexPromptPath, promptSource),
+    await writeGeneratedMarkdown(assetPaths.codexMcpSetupPath, renderCodexMcpSetupGuide(root)),
+    await writeGeneratedMarkdown(assetPaths.codexAutomationRecipePath, renderCodexAutomationRecipe()),
+  ];
+}
+
+// Builds the Claude Desktop DXT/MCPB bundle (mutating assetPaths with the
+// produced bundle paths) and writes the project template + remote connector.
+async function writeClaudeDesktopAssets(assetPaths, root) {
+  const results = [];
+  const claudeDesktopBundle = await buildClaudeDesktopBundle(root, results);
+  assetPaths.claudeDesktopDxtPath = claudeDesktopBundle.dxtPath;
+  assetPaths.claudeDesktopMcpbPath = claudeDesktopBundle.mcpbPath;
+  results.push(
+    await writeGeneratedMarkdown(
+      assetPaths.claudeDesktopProjectTemplatePath,
+      renderClaudeDesktopProjectTemplate(),
+    ),
+  );
+  results.push(
+    await writeGeneratedJson(
+      assetPaths.claudeDesktopRemoteConnectorPath,
+      JSON.parse(renderClaudeDesktopRemoteConnectorTemplate()),
+    ),
+  );
+  return results;
+}
+
+async function writeOpenCodeAssets(assetPaths, root) {
+  return [
+    await writeMergedGeneratedJson(
+      assetPaths.opencodeConfigPath,
+      'OpenCode project config',
+      (existing) => buildMergedOpenCodeProjectConfig(existing, root),
+    ),
+  ];
+}
+
+async function writeVSCodeAssets(assetPaths, promptBody) {
+  return [
+    await writeGeneratedMarkdown(
+      assetPaths.vscodePromptPath,
+      renderPromptFile(
+        {
+          name: 'audit-code',
+          description: 'Autonomous local loop code auditing',
+          agent: 'auditor',
+        },
+        promptBody,
       ),
-    );
-  }
+    ),
+    await writeGeneratedMarkdown(assetPaths.vscodeAgentPath, renderVSCodeAgentFile()),
+    await writeMergedGeneratedJson(
+      assetPaths.vscodeMcpConfigPath,
+      'VS Code MCP config',
+      buildMergedVSCodeMcpConfig,
+    ),
+  ];
+}
+
+async function writeAntigravityAssets(assetPaths, promptBody, skillSource, root) {
+  return [
+    await writeGeneratedMarkdown(
+      assetPaths.antigravityPlanningGuidePath,
+      renderAntigravityPlanningGuide(root),
+    ),
+    await writeGeneratedMarkdown(assetPaths.geminiCommandPath, renderGeminiCommandToml(promptBody)),
+    await writeGeneratedMarkdown(assetPaths.antigravitySkillPath, skillSource),
+  ];
+}
+
+async function installBootstrap(argv, options = {}) {
+  const host = (getFlag(argv, '--host') ?? DEFAULT_INSTALL_HOST).toLowerCase();
+  const root = resolve(getFlag(argv, '--root') ?? '.');
+  await assertDirectoryExists(root, 'Target repository root');
+  const profile = getInstallProfile(host);
+  const promptSource = await readFile(promptAssetPath, 'utf8');
+  const skillSource = (await readFile(skillAssetPath, 'utf8')).replace(/\r\n/g, '\n');
+  const { body: promptBody } = splitFrontmatter(promptSource);
+  const assetPaths = buildInstallAssetPaths(root, profile);
+  const {
+    installedPromptPath,
+    installedSkillPath,
+    installGuidePath,
+    installManifestPath,
+    mcpLauncherPath,
+  } = assetPaths;
 
+  const results = [];
+  results.push(...await writeCoreInstallAssets(root, assetPaths, promptSource, skillSource));
+
+  if (profile.writeCodex) {
+    results.push(...await writeCodexAssets(assetPaths, promptSource, skillSource, root));
+  }
   if (profile.writeClaudeDesktop) {
-    const claudeDesktopBundle = await buildClaudeDesktopBundle(root, results);
-    assetPaths.claudeDesktopDxtPath = claudeDesktopBundle.dxtPath;
-    assetPaths.claudeDesktopMcpbPath = claudeDesktopBundle.mcpbPath;
-    results.push(
-      await writeGeneratedMarkdown(
-        assetPaths.claudeDesktopProjectTemplatePath,
-        renderClaudeDesktopProjectTemplate(),
-      ),
-    );
-    results.push(
-      await writeGeneratedJson(
-        assetPaths.claudeDesktopRemoteConnectorPath,
-        JSON.parse(renderClaudeDesktopRemoteConnectorTemplate()),
-      ),
-    );
+    results.push(...await writeClaudeDesktopAssets(assetPaths, root));
   }
-
   if (profile.writeOpenCode) {
-    results.push(
-      await writeMergedGeneratedJson(
-        assetPaths.opencodeConfigPath,
-        'OpenCode project config',
-        (existing) => buildMergedOpenCodeProjectConfig(existing, root),
-      ),
-    );
+    results.push(...await writeOpenCodeAssets(assetPaths, root));
   }
-
   if (profile.writeVSCode) {
-    results.push(
-      await writeGeneratedMarkdown(
-        assetPaths.vscodePromptPath,
-        renderPromptFile(
-          {
-            name: 'audit-code',
-            description: 'Autonomous local loop code auditing',
-            agent: 'auditor',
-          },
-          promptBody,
-        ),
-      ),
-    );
-    results.push(
-      await writeGeneratedMarkdown(
-        assetPaths.vscodeAgentPath,
-        renderVSCodeAgentFile(),
-      ),
-    );
-    results.push(
-      await writeMergedGeneratedJson(
-        assetPaths.vscodeMcpConfigPath,
-        'VS Code MCP config',
-        buildMergedVSCodeMcpConfig,
-      ),
-    );
+    results.push(...await writeVSCodeAssets(assetPaths, promptBody));
   }
-
   if (profile.writeAntigravity) {
-    results.push(
-      await writeGeneratedMarkdown(
-        assetPaths.antigravityPlanningGuidePath,
-        renderAntigravityPlanningGuide(root),
-      ),
-    );
-    results.push(
-      await writeGeneratedMarkdown(
-        assetPaths.geminiCommandPath,
-        renderGeminiCommandToml(promptBody),
-      ),
-    );
-    results.push(
-      await writeGeneratedMarkdown(
-        assetPaths.antigravitySkillPath,
-        skillSource,
-      ),
-    );
+    results.push(...await writeAntigravityAssets(assetPaths, promptBody, skillSource, root));
   }
 
   const hostGuidance = buildHostCatalog({

package/dist/adapters/normalizeExternal.js

@@ -1,10 +1,13 @@
 export function normalizeGenericExternalResults(tool, items) {
+    const valid = items.filter((item) => item.path && item.summary);
+    const dropped = items.length - valid.length;
+    if (dropped > 0) {
+        process.stderr.write(`[audit-code] normalizeExternal: dropped ${dropped}/${items.length} ${tool} finding(s) missing path or summary\n`);
+    }
     return {
         tool,
         generated_at: new Date().toISOString(),
-        results: items
-            .filter((item) => item.path && item.summary)
-            .map((item, index) => ({
+        results: valid.map((item, index) => ({
             id: item.id ?? `${tool}-${index + 1}`,
             category: item.category ?? "unknown",
             severity: item.severity ?? "unknown",

package/dist/cli/args.d.ts

@@ -51,7 +51,6 @@ export declare function getTimeoutMs(argv: string[], sessionConfig: SessionConfi
 export declare function getExplicitProvider(argv: string[]): string | undefined;
 export declare function getHostModel(argv: string[]): string | null;
 export declare function getHostMaxActiveSubagents(argv: string[]): number | null;
-export declare function getQuotaProbeMode(argv: string[], sessionConfig: SessionConfig): "auto" | "never" | "force";
 export declare function resolveRunProviderName(argv: string[], sessionConfig: SessionConfig): string;
 export declare function chunkArray<T>(arr: T[], size: number): T[][];
 export declare function getUiMode(argv: string[], fallback?: UiMode): UiMode;

package/dist/cli/args.js

@@ -185,12 +185,6 @@ export function getHostModel(argv) {
 export function getHostMaxActiveSubagents(argv) {
     return parsePositiveIntegerFlag(argv, "--host-max-active-subagents") ?? null;
 }
-export function getQuotaProbeMode(argv, sessionConfig) {
-    const raw = getFlag(argv, "--quota-probe") ?? sessionConfig.quota?.probe ?? "auto";
-    if (raw === "auto" || raw === "never" || raw === "force")
-        return raw;
-    return "auto";
-}
 export function resolveRunProviderName(argv, sessionConfig) {
     return resolveFreshSessionProviderName(getExplicitProvider(argv), sessionConfig);
 }

package/dist/cli/dispatch.js

@@ -1,7 +1,7 @@
 import { mkdir, readFile, writeFile } from "node:fs/promises";
 import { existsSync } from "node:fs";
 import { isAbsolute, join, relative, resolve } from "node:path";
-import { isFileMissingError, readJsonFile, writeJsonFile } from "@audit-tools/shared";
+import { isFileMissingError, readJsonFile, writeJsonFile, DEFAULT_EMPIRICAL_HALF_LIFE_HOURS, } from "@audit-tools/shared";
 import { buildQuotaSource } from "@audit-tools/shared/quota/compositeQuotaSource";
 import { loadArtifactBundle } from "../io/artifacts.js";
 import { orderTasksForPacketReview, buildReviewPackets, sizeIndexFromManifest, } from "../orchestrator/reviewPackets.js";
@@ -480,7 +480,8 @@ export async function prepareDispatchArtifacts(params) {
         ?? null;
     const dispatchCachedLimits = await lookupDiscoveredLimits(quotaProviderKey).catch(() => null);
     const discoveredLimits = mergeDiscoveredLimits(providerLimits, dispatchCachedLimits);
-    const halfLifeHours = sessionConfig.quota?.empirical_half_life_hours ?? 24;
+    const halfLifeHours = sessionConfig.quota?.empirical_half_life_hours ??
+        DEFAULT_EMPIRICAL_HALF_LIFE_HOURS;
     const quotaSource = buildQuotaSource({ halfLifeHours });
     const quotaSourceSnapshot = await quotaSource.queryCurrentUsage(quotaProviderKey).catch(() => null);
     const waveSchedule = scheduleWave({

package/dist/cli/lineIndex.js

@@ -3,9 +3,12 @@ import { countLines } from "./args.js";
 // Line-count helpers extracted from cli.ts. Pure functions over the repo
 // manifest / task file paths — used to annotate audit tasks with per-file line
 // counts and to build line indexes for prompt rendering.
+// How many files to read concurrently when counting lines, bounding open file
+// descriptors so a large repo manifest does not exhaust the fd limit.
+const LINE_COUNT_BATCH_SIZE = 25;
 export async function buildLineIndex(root, repoManifest) {
     const entries = [];
-    const batchSize = 25;
+    const batchSize = LINE_COUNT_BATCH_SIZE;
     for (let i = 0; i < repoManifest.files.length; i += batchSize) {
         const batch = repoManifest.files.slice(i, i + batchSize);
         const results = await Promise.all(batch.map(async (file) => {

package/dist/cli/mergeAndIngestCommand.d.ts

@@ -0,0 +1 @@
+export declare function cmdMergeAndIngest(argv: string[]): Promise<void>;

package/dist/cli/mergeAndIngestCommand.js

@@ -0,0 +1,219 @@
+import { readFile, readdir } from "node:fs/promises";
+import { join, resolve } from "node:path";
+import { isFileMissingError, readJsonFile, writeJsonFile } from "@audit-tools/shared";
+import { validateAuditResults } from "../validation/auditResults.js";
+import { runAuditStep } from "./auditStep.js";
+import { DISPATCH_RESULT_MAP_FILENAME, ACTIVE_DISPATCH_FILENAME, loadDispatchResultMap, entriesByTaskId, buildPendingAuditTasks, } from "./dispatch.js";
+import { addFileLineCountHints } from "./lineIndex.js";
+import { isCanonicalResultFilename, getArtifactsDir, getFlag } from "./args.js";
+import { buildWorkerResult } from "./workerResult.js";
+export async function cmdMergeAndIngest(argv) {
+    const runId = getFlag(argv, "--run-id");
+    if (!runId)
+        throw new Error("merge-and-ingest requires --run-id <run_id>");
+    const artifactsDir = getArtifactsDir(argv);
+    const runDir = join(artifactsDir, "runs", runId);
+    const taskResultsDir = join(runDir, "task-results");
+    const auditResultsPath = join(runDir, "audit-results.json");
+    const taskPath = join(runDir, "task.json");
+    const tasksPath = join(runDir, "pending-audit-tasks.json");
+    const workerTask = await readJsonFile(taskPath);
+    const resultMap = await loadDispatchResultMap(runDir);
+    if (!resultMap) {
+        throw new Error(`No ${DISPATCH_RESULT_MAP_FILENAME} found for run ${runId}; run prepare-dispatch first.`);
+    }
+    let allTasks = [];
+    try {
+        allTasks = await readJsonFile(tasksPath);
+    }
+    catch { /* may not exist */ }
+    const entryByTaskId = entriesByTaskId(resultMap.entries);
+    if (entryByTaskId.size !== resultMap.entries.length) {
+        throw new Error(`Dispatch result map for run ${runId} contains duplicate task entries.`);
+    }
+    const expectedPaths = new Set(resultMap.entries.map((entry) => resolve(entry.result_path)));
+    let files;
+    try {
+        files = (await readdir(taskResultsDir)).filter(f => f.endsWith(".json")).sort();
+    }
+    catch {
+        files = [];
+    }
+    const passing = [];
+    const failing = [];
+    const seenTaskIds = new Set();
+    let spuriousFileCount = 0;
+    const fallbackByTaskId = new Map();
+    for (const filename of files) {
+        const filePath = resolve(join(taskResultsDir, filename));
+        if (expectedPaths.has(filePath))
+            continue;
+        // Not part of this round's plan. Still read it so a current task can be
+        // recovered by task_id (e.g. a subagent wrote a valid result under a
+        // non-assigned name).
+        try {
+            const raw = await readFile(filePath, "utf8");
+            const parsed = JSON.parse(raw);
+            if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+                const tid = typeof parsed.task_id === "string"
+                    ? String(parsed.task_id) : undefined;
+                if (tid && !fallbackByTaskId.has(tid)) {
+                    fallbackByTaskId.set(tid, parsed);
+                }
+            }
+        }
+        catch { /* not parseable — skip */ }
+        // Only genuinely stray files are "spurious". Canonical per-task result files
+        // (<stem>_<digest>.json) left by prior deepening rounds in the same
+        // task-results/ dir are legitimate and must not inflate the count or bury
+        // the real stray-file signal (3 -> 191 over a run before this fix).
+        if (!isCanonicalResultFilename(filename)) {
+            spuriousFileCount++;
+            process.stderr.write(`[merge-and-ingest] Warning: unexpected file in task-results/: ${filename}\n`);
+        }
+    }
+    for (const task of allTasks) {
+        const entry = entryByTaskId.get(task.task_id);
+        if (!entry) {
+            failing.push({
+                task_id: task.task_id,
+                errors: ["Missing dispatch result-map entry for assigned task."],
+            });
+            continue;
+        }
+        const filePath = entry.result_path;
+        let obj;
+        try {
+            obj = JSON.parse(await readFile(filePath, "utf8"));
+        }
+        catch (e) {
+            if (isFileMissingError(e)) {
+                const fallback = fallbackByTaskId.get(task.task_id);
+                if (fallback) {
+                    process.stderr.write(`[merge-and-ingest] Recovered result for '${task.task_id}' from unexpected file (matched by task_id)\n`);
+                    obj = fallback;
+                }
+                else {
+                    failing.push({
+                        task_id: task.task_id,
+                        errors: ["Missing audit result for assigned task."],
+                    });
+                    continue;
+                }
+            }
+            else {
+                failing.push({ task_id: task.task_id, errors: [`Invalid JSON: ${e.message}`] });
+                continue;
+            }
+        }
+        const record = obj && typeof obj === "object" && !Array.isArray(obj)
+            ? obj
+            : undefined;
+        const taskId = typeof record?.task_id === "string"
+            ? String(record.task_id) : undefined;
+        const resultErrors = [];
+        if (taskId) {
+            if (seenTaskIds.has(taskId)) {
+                resultErrors.push(`Duplicate audit result for assigned task '${taskId}'.`);
+            }
+            else {
+                seenTaskIds.add(taskId);
+            }
+            if (taskId !== task.task_id) {
+                resultErrors.push(`Result file is assigned to '${task.task_id}' but contains task_id '${taskId}'.`);
+            }
+        }
+        const issues = validateAuditResults([obj], [task], { lineIndex: task.file_line_counts ?? {} });
+        resultErrors.push(...issues
+            .filter(i => i.severity === "error")
+            .map(i => i.message));
+        if (resultErrors.length === 0) {
+            passing.push(obj);
+        }
+        else {
+            failing.push({ task_id: taskId ?? task.task_id, errors: resultErrors });
+        }
+    }
+    await writeJsonFile(auditResultsPath, passing);
+    const failedTasksPath = join(runDir, "failed-tasks.json");
+    if (failing.length > 0) {
+        await writeJsonFile(failedTasksPath, failing);
+    }
+    if (passing.length === 0 && failing.length > 0) {
+        throw new Error(`All ${failing.length} assigned task result(s) were missing or invalid; blocked before ingestion. See ${failedTasksPath}`);
+    }
+    const findingCount = passing.reduce((sum, result) => sum + result.findings.length, 0);
+    let result = null;
+    if (passing.length > 0) {
+        result = await runAuditStep({
+            root: workerTask.repo_root,
+            artifactsDir,
+            preferredExecutor: "result_ingestion_executor",
+            auditResultsPath,
+        });
+        const updatedPendingTasks = await addFileLineCountHints(workerTask.repo_root, buildPendingAuditTasks(result.updated_bundle));
+        await writeJsonFile(tasksPath, updatedPendingTasks);
+    }
+    const activeDispatchPath = join(artifactsDir, ACTIVE_DISPATCH_FILENAME);
+    try {
+        const dispatch = await readJsonFile(activeDispatchPath);
+        if (dispatch.run_id === runId) {
+            dispatch.status = failing.length > 0 ? "active" : "merged";
+            await writeJsonFile(activeDispatchPath, dispatch);
+        }
+    }
+    catch { /* no active dispatch file — skip */ }
+    let retryDispatchPath = null;
+    if (failing.length > 0) {
+        const failedTaskIds = new Set(failing.map((f) => f.task_id));
+        const failedPacketIds = [
+            ...new Set(resultMap.entries
+                .filter((e) => failedTaskIds.has(e.task_id))
+                .map((e) => e.packet_id)),
+        ];
+        const retryDispatch = {
+            run_id: runId,
+            retry_packet_ids: failedPacketIds,
+            failed_task_count: failing.length,
+            accepted_task_count: passing.length,
+        };
+        retryDispatchPath = join(runDir, "retry-dispatch.json");
+        await writeJsonFile(retryDispatchPath, retryDispatch);
+        process.stderr.write(`[merge-and-ingest] ${passing.length} accepted, ${failing.length} failed. ` +
+            `Retry packets: ${failedPacketIds.join(", ")}\n`);
+    }
+    const status = failing.length > 0
+        ? "partial"
+        : (result?.progress_made ? "completed" : "no_progress");
+    const workerResult = buildWorkerResult({
+        runId,
+        obligationId: workerTask.obligation_id,
+        status: failing.length > 0 ? "no_progress" : (result?.progress_made ? "completed" : "no_progress"),
+        progressMade: result?.progress_made ?? false,
+        selectedExecutor: result?.selected_executor ?? null,
+        artifactsWritten: result?.artifacts_written ?? [],
+        summary: result?.progress_summary ?? `${failing.length} task(s) failed`,
+        nextLikelyStep: result?.next_likely_step ?? null,
+        errors: [],
+    });
+    await writeJsonFile(workerTask.result_path, workerResult);
+    console.log(JSON.stringify({
+        run_id: runId,
+        status,
+        accepted_count: passing.length,
+        rejected_count: failing.length,
+        spurious_file_count: spuriousFileCount,
+        finding_count: findingCount,
+        audit_results_path: auditResultsPath,
+        ...(retryDispatchPath ? { retry_dispatch_path: retryDispatchPath } : {}),
+        ...(result ? {
+            selected_executor: workerResult.selected_executor,
+            progress_made: workerResult.progress_made,
+            progress_summary: workerResult.summary,
+            next_likely_step: workerResult.next_likely_step,
+        } : {}),
+    }, null, 2));
+    if (failing.length > 0) {
+        process.exitCode = 2;
+    }
+}

package/dist/cli/nextStepCommand.js

@@ -71,7 +71,11 @@ async function runDeterministicForNextStep(params) {
             if (taskFiles.size > 0) {
                 const integrity = await checkFileIntegrity(params.root, bundle.repo_manifest, [...taskFiles]);
                 if (!integrity.is_clean) {
-                    console.log(`File integrity check: ${integrity.changed_files.length} changed, ${integrity.missing_files.length} missing — re-running intake.`);
+                    // Route this diagnostic OFF stdout: cmdNextStep emits the step
+                    // contract as the sole stdout payload via console.log(JSON.stringify),
+                    // so a console.log here would corrupt the JSON-on-stdout contract.
+                    process.stderr.write(`[audit-code] nextStep: integrity check — ${integrity.changed_files.length} changed, ` +
+                        `${integrity.missing_files.length} missing, ${integrity.io_errors.length} io-error(s); re-running intake.\n`);
                     await advanceAudit(bundle, { root: params.root, preferredExecutor: "intake_executor", opentoken: params.opentoken });
                     continue;
                 }