auditor-lambda 0.8.0 → 0.9.1

package/dist/orchestrator/planningExecutors.js

@@ -0,0 +1,95 @@
+import { initializeCoverageFromPlan } from "./planning.js";
+import { applyScopeToCoverage, fullAuditScope } from "./scope.js";
+import { buildFlowCoverage } from "./flowCoverage.js";
+import { buildRequeuePayload } from "./requeueCommand.js";
+import { buildRuntimeValidationTasks, discoverRuntimeValidationCommand, mergeRuntimeValidationReport, } from "./runtimeValidation.js";
+import { buildChunkedAuditTasks, } from "./taskBuilder.js";
+import { buildAuditPlanMetrics, buildReviewPackets, sizeIndexFromManifest, } from "./reviewPackets.js";
+import { autoCompleteTrivialCoverage } from "./trivialAudit.js";
+export async function runPlanningExecutor(bundle, root, lineIndex = {}, sizeIndex, scope) {
+    if (!bundle.repo_manifest) {
+        throw new Error("Cannot run planning executor without repo_manifest");
+    }
+    const resolvedSizeIndex = sizeIndex ?? sizeIndexFromManifest(bundle.repo_manifest);
+    if (!bundle.file_disposition ||
+        !bundle.unit_manifest ||
+        !bundle.surface_manifest ||
+        !bundle.critical_flows ||
+        !bundle.risk_register) {
+        throw new Error("Cannot run planning executor without current structure artifacts");
+    }
+    const resolvedScope = scope ?? fullAuditScope();
+    const externalAnalyzerResults = bundle.external_analyzer_results;
+    const coverage = initializeCoverageFromPlan(bundle.repo_manifest, bundle.unit_manifest, bundle.file_disposition, externalAnalyzerResults);
+    const skippedTrivialPaths = autoCompleteTrivialCoverage(coverage, lineIndex, externalAnalyzerResults);
+    // Delta scope: only seed + expanded files stay pending; the rest inherit prior
+    // completion or are excluded from this run. Full scope is a no-op.
+    applyScopeToCoverage(coverage, resolvedScope, bundle.coverage_matrix);
+    const flowCoverage = buildFlowCoverage(bundle.critical_flows, coverage);
+    const runtimeCommand = await discoverRuntimeValidationCommand(root);
+    const runtimeValidationTasks = buildRuntimeValidationTasks({
+        unitManifest: bundle.unit_manifest,
+        criticalFlows: bundle.critical_flows,
+        flowCoverage,
+        command: runtimeCommand,
+    });
+    const runtimeValidationReport = runtimeValidationTasks.tasks.length > 0
+        ? mergeRuntimeValidationReport(runtimeValidationTasks, bundle.runtime_validation_report)
+        : undefined;
+    const auditTasks = buildChunkedAuditTasks(coverage, lineIndex, {
+        external_analyzer_results: externalAnalyzerResults,
+        critical_flows: bundle.critical_flows,
+    });
+    const taggedAuditTasks = auditTasks.map((task) => ({
+        ...task,
+        status: task.status ?? "pending",
+    }));
+    const reviewPackets = buildReviewPackets(taggedAuditTasks, {
+        graphBundle: bundle.graph_bundle,
+        lineIndex,
+        sizeIndex: resolvedSizeIndex,
+    });
+    const auditPlanMetrics = buildAuditPlanMetrics(taggedAuditTasks, {
+        graphBundle: bundle.graph_bundle,
+        lineIndex,
+        sizeIndex: resolvedSizeIndex,
+    });
+    const requeuePayload = buildRequeuePayload(coverage, bundle.critical_flows, flowCoverage, externalAnalyzerResults);
+    const scopeSummary = resolvedScope.mode === "delta"
+        ? ` Delta scope since ${resolvedScope.since}: ${resolvedScope.seed_files.length} changed file(s) + ${resolvedScope.expanded_files.length} graph neighbour(s) queued; a full audit is advised before release.`
+        : "";
+    return {
+        updated: {
+            ...bundle,
+            scope: resolvedScope,
+            coverage_matrix: coverage,
+            flow_coverage: flowCoverage,
+            runtime_validation_tasks: runtimeValidationTasks,
+            runtime_validation_report: runtimeValidationReport,
+            audit_tasks: taggedAuditTasks,
+            audit_plan_metrics: auditPlanMetrics,
+            review_packets: reviewPackets,
+            requeue_tasks: requeuePayload.tasks,
+            audit_report: undefined,
+        },
+        artifacts_written: [
+            "scope.json",
+            "coverage_matrix.json",
+            "flow_coverage.json",
+            "runtime_validation_tasks.json",
+            ...(runtimeValidationReport ? ["runtime_validation_report.json"] : []),
+            "audit_tasks.json",
+            "audit_plan_metrics.json",
+            "review_packets.json",
+            "requeue_tasks.json",
+        ],
+        progress_summary: `Built planning artifacts; generated ${taggedAuditTasks.length} review tasks in ${reviewPackets.length} packet(s) and ${requeuePayload.task_count} requeue tasks.` +
+            scopeSummary +
+            (skippedTrivialPaths.length > 0
+                ? ` Skipped ${skippedTrivialPaths.length} trivial path${skippedTrivialPaths.length === 1 ? "" : "s"} from semantic review.`
+                : "") +
+            (runtimeCommand
+                ? ` Runtime validation will use: ${runtimeCommand.join(" ")}.`
+                : " No deterministic runtime validation command was discovered."),
+    };
+}

package/dist/orchestrator/runtimeCommand.js

@@ -1,18 +1,16 @@
 import { spawn } from "node:child_process";
+import { quoteForOpenTokenCmd, wrapForOpenToken } from "@audit-tools/shared";
 // Deterministic runtime-validation command execution: resolve a command to a
 // platform-correct spawn invocation (Windows package-manager shims need a
 // cmd.exe wrapper), optionally wrap it for opentoken accounting, and run it
 // capturing a confirmed/not_confirmed/inconclusive outcome. Hoisted out of
 // internalExecutors.ts as a shared, side-effect-only helper module.
+//
+// The cmd.exe quoting (both for the opentoken wrap and the package-manager
+// batch path) reuses the canonical exec.ts helpers so the safe-character set
+// stays unified — the two formerly-private copies here diverged on `@`.
 function resolveOpentokenWrap(resolved, platform = process.platform) {
-    if (platform === "win32") {
-        const shell = process.env.ComSpec ?? "cmd.exe";
-        const inner = [resolved.command, ...resolved.args]
-            .map((v) => (/^[A-Za-z0-9_./:=@+-]+$/.test(v) ? v : `"${v.replace(/(["^&|<>%])/g, "^$1")}"`))
-            .join(" ");
-        return { command: shell, args: ["/d", "/s", "/c", `opentoken wrap ${inner}`] };
-    }
-    return { command: "opentoken", args: ["wrap", resolved.command, ...resolved.args] };
+    return wrapForOpenToken(resolved.command, resolved.args, "opentoken", platform);
 }
 export async function runCommand(command, cwd, options = {}) {
     let spawnCommand = resolveRuntimeValidationSpawnCommand(command);
@@ -66,14 +64,8 @@ export function resolveRuntimeValidationSpawnCommand(command, platform = process
     if (["npm", "npx", "pnpm", "yarn"].includes(packageManager)) {
         return {
             command: shellCommand,
-            args: ["/d", "/s", "/c", command.map(quoteCmdArg).join(" ")],
+            args: ["/d", "/s", "/c", command.map(quoteForOpenTokenCmd).join(" ")],
         };
     }
     return { command: executable, args };
 }
-function quoteCmdArg(value) {
-    if (/^[A-Za-z0-9_./:=+-]+$/.test(value)) {
-        return value;
-    }
-    return `"${value.replace(/(["^&|<>%])/g, "^$1")}"`;
-}

package/dist/orchestrator/selectiveDeepening/conflict.d.ts

@@ -0,0 +1,8 @@
+import type { AuditTask } from "../../types.js";
+import { type FindingContext } from "./shared.js";
+export declare function buildConflictFollowupTask(params: {
+    contexts: FindingContext[];
+    conflictKey: string;
+    lineIndex?: Record<string, number>;
+}): AuditTask;
+export declare function conflictGroups(contexts: FindingContext[]): Map<string, FindingContext[]>;

package/dist/orchestrator/selectiveDeepening/conflict.js

@@ -0,0 +1,71 @@
+import { CONFIDENCE_RANK, DEEPENING_TAG, SEVERITY_RANK, lineCountForPath, sanitizeSegment, taskIdFor, uniqueSorted, } from "./shared.js";
+export function buildConflictFollowupTask(params) {
+    const [first] = params.contexts;
+    const paths = uniqueSorted(params.contexts.flatMap((context) => context.paths));
+    const maxSeverity = Math.max(...params.contexts.map((context) => SEVERITY_RANK[context.finding.severity]));
+    const lineSources = new Map();
+    for (const context of params.contexts) {
+        for (const path of context.paths) {
+            if (!lineSources.has(path)) {
+                lineSources.set(path, { task: context.task, result: context.result });
+            }
+        }
+    }
+    const sourceTaskIds = uniqueSorted(params.contexts.map((context) => context.result.task_id));
+    const findingIds = uniqueSorted(params.contexts.map((context) => context.finding.id));
+    return {
+        task_id: taskIdFor("conflict", [
+            params.conflictKey,
+            ...sourceTaskIds,
+            ...findingIds,
+        ]),
+        unit_id: first?.result.unit_id ?? "selective-deepening",
+        pass_id: `deepening:${first?.result.pass_id ?? "conflict"}`,
+        lens: (first?.result.lens ?? "correctness"),
+        file_paths: paths,
+        file_line_counts: Object.fromEntries(paths.map((path) => {
+            const source = lineSources.get(path);
+            return [
+                path,
+                source
+                    ? lineCountForPath(path, source.task, source.result, params.lineIndex)
+                    : (params.lineIndex?.[path] ?? 0),
+            ];
+        })),
+        rationale: `Reconcile conflicting audit output for ${params.conflictKey}. ` +
+            `Compare source tasks ${sourceTaskIds.join(", ")} and decide the correct severity, confidence, and evidence-backed conclusion.`,
+        priority: maxSeverity >= SEVERITY_RANK.high ? "high" : "medium",
+        tags: [
+            DEEPENING_TAG,
+            "trigger:conflicting_output",
+            ...sourceTaskIds.slice(0, 3).map((id) => `source_task:${sanitizeSegment(id)}`),
+        ],
+        status: "pending",
+    };
+}
+export function conflictGroups(contexts) {
+    const groups = new Map();
+    for (const context of contexts) {
+        for (const path of context.paths) {
+            const key = [
+                context.result.lens,
+                context.finding.category,
+                path.toLowerCase(),
+            ].join(":");
+            const group = groups.get(key) ?? [];
+            group.push(context);
+            groups.set(key, group);
+        }
+    }
+    for (const [key, group] of groups) {
+        const uniqueTasks = new Set(group.map((context) => context.result.task_id));
+        const severities = group.map((context) => SEVERITY_RANK[context.finding.severity]);
+        const confidences = group.map((context) => CONFIDENCE_RANK[context.finding.confidence]);
+        const severitySpread = Math.max(...severities) - Math.min(...severities);
+        const confidenceSpread = Math.max(...confidences) - Math.min(...confidences);
+        if (uniqueTasks.size < 2 || (severitySpread < 2 && confidenceSpread < 2)) {
+            groups.delete(key);
+        }
+    }
+    return groups;
+}

package/dist/orchestrator/selectiveDeepening/findingFollowup.d.ts

@@ -0,0 +1,10 @@
+import type { AuditResult, AuditTask, Finding } from "../../types.js";
+import { type FindingContext } from "./shared.js";
+export declare function buildFindingFollowupTask(params: {
+    result: AuditResult;
+    task?: AuditTask;
+    finding: Finding;
+    triggers: string[];
+    lineIndex?: Record<string, number>;
+}): AuditTask;
+export declare function findingContexts(results: AuditResult[], taskById: Map<string, AuditTask>): FindingContext[];

package/dist/orchestrator/selectiveDeepening/findingFollowup.js

@@ -0,0 +1,52 @@
+import { DEEPENING_TAG, SEVERITY_RANK, isDeepeningTask, lineCountForPath, pathsForFinding, sanitizeSegment, taskIdFor, } from "./shared.js";
+export function buildFindingFollowupTask(params) {
+    const paths = pathsForFinding(params.finding, params.result, params.task);
+    const triggerLabel = params.triggers.join("+");
+    const taskId = taskIdFor("finding", [
+        params.result.task_id,
+        params.finding.id,
+        triggerLabel,
+    ]);
+    const priority = SEVERITY_RANK[params.finding.severity] >= SEVERITY_RANK.high
+        ? "high"
+        : "medium";
+    return {
+        task_id: taskId,
+        unit_id: params.result.unit_id,
+        pass_id: `deepening:${params.result.pass_id}`,
+        lens: params.result.lens,
+        file_paths: paths,
+        file_line_counts: Object.fromEntries(paths.map((path) => [
+            path,
+            lineCountForPath(path, params.task, params.result, params.lineIndex),
+        ])),
+        rationale: `Follow up on ${params.finding.id} (${params.finding.severity}/${params.finding.confidence}) from ${params.result.task_id}. ` +
+            "Verify impact, evidence quality, affected scope, and whether the finding should stand, narrow, or be downgraded.",
+        priority,
+        tags: [
+            DEEPENING_TAG,
+            ...params.triggers.map((trigger) => `trigger:${trigger}`),
+            `source_task:${sanitizeSegment(params.result.task_id)}`,
+            `finding:${sanitizeSegment(params.finding.id)}`,
+        ],
+        status: "pending",
+    };
+}
+export function findingContexts(results, taskById) {
+    const contexts = [];
+    for (const result of results) {
+        const task = taskById.get(result.task_id);
+        if (isDeepeningTask(task)) {
+            continue;
+        }
+        for (const finding of result.findings) {
+            contexts.push({
+                result,
+                task,
+                finding,
+                paths: pathsForFinding(finding, result, task),
+            });
+        }
+    }
+    return contexts;
+}

package/dist/orchestrator/selectiveDeepening/highRiskClean.d.ts

@@ -0,0 +1,7 @@
+import type { AuditResult, AuditTask } from "../../types.js";
+export declare function isHighRiskCleanResult(result: AuditResult, task: AuditTask | undefined): boolean;
+export declare function buildHighRiskCleanFollowupTask(params: {
+    result: AuditResult;
+    task?: AuditTask;
+    lineIndex?: Record<string, number>;
+}): AuditTask;

package/dist/orchestrator/selectiveDeepening/highRiskClean.js

@@ -0,0 +1,44 @@
+import { DEEPENING_TAG, isDeepeningTask, lineCountForPath, sanitizeSegment, taskIdFor, uniqueSorted, } from "./shared.js";
+export function isHighRiskCleanResult(result, task) {
+    if (result.findings.length > 0 ||
+        result.requires_followup === false ||
+        isDeepeningTask(task)) {
+        return false;
+    }
+    if (!task) {
+        return (result.requires_followup === true &&
+            (result.lens === "security" || result.lens === "data_integrity"));
+    }
+    if (task.priority === "high") {
+        return true;
+    }
+    if (task.tags?.some((tag) => ["critical_flow", "external_analyzer_signal"].includes(tag))) {
+        return true;
+    }
+    return result.requires_followup === true && task.priority === "medium";
+}
+export function buildHighRiskCleanFollowupTask(params) {
+    const paths = uniqueSorted((params.task?.file_paths.length ?? 0) > 0
+        ? (params.task?.file_paths ?? [])
+        : params.result.file_coverage.map((coverage) => coverage.path));
+    return {
+        task_id: taskIdFor("clean", [params.result.task_id, params.result.lens]),
+        unit_id: params.result.unit_id,
+        pass_id: `deepening:${params.result.pass_id}`,
+        lens: params.result.lens,
+        file_paths: paths,
+        file_line_counts: Object.fromEntries(paths.map((path) => [
+            path,
+            lineCountForPath(path, params.task, params.result, params.lineIndex),
+        ])),
+        rationale: `Sample high-risk no-finding result from ${params.result.task_id}. ` +
+            "Re-review the assigned files for missed edge cases, hidden runtime failures, and whether the clean conclusion should stand.",
+        priority: params.task?.priority === "high" ? "high" : "medium",
+        tags: [
+            DEEPENING_TAG,
+            "trigger:high_risk_no_finding",
+            `source_task:${sanitizeSegment(params.result.task_id)}`,
+        ],
+        status: "pending",
+    };
+}

package/dist/orchestrator/selectiveDeepening/index.d.ts

@@ -0,0 +1,18 @@
+import type { AuditTask } from "../../types.js";
+import { type BuildSelectiveDeepeningTaskOptions } from "./shared.js";
+export type { BuildSelectiveDeepeningTaskOptions } from "./shared.js";
+/**
+ * Build the bounded set of selective-deepening follow-up tasks. Each strategy
+ * (finding-followup, conflict, steward-followup, runtime-validation, lens-
+ * verification, high-risk-clean) lives in its own module under this directory;
+ * this entry sequences them and enforces the shared budget (`effectiveMax`,
+ * `maxTotalDeepeningTasks`) and dedupe (via `pushIfNew`). Task ordering, caps,
+ * and dedupe are unchanged from the former single-file implementation.
+ */
+export declare function buildSelectiveDeepeningTasks(options: BuildSelectiveDeepeningTaskOptions): AuditTask[];
+export declare const selectiveDeepeningTestUtils: {
+    DEEPENING_TAG: string;
+    LENS_VERIFICATION_TAG: string;
+    LENS_VERIFICATION_FOLLOWUP_TAG: string;
+    DEFAULT_MAX_TOTAL_DEEPENING_TASKS: number;
+};

package/dist/orchestrator/selectiveDeepening/index.js

@@ -0,0 +1,128 @@
+import { DEFAULT_MAX_DEEPENING_TASKS, DEFAULT_MAX_TOTAL_DEEPENING_TASKS, DEEPENING_TAG, LENS_VERIFICATION_FOLLOWUP_TAG, LENS_VERIFICATION_TAG, SEVERITY_RANK, intersects, isDeepeningTask, priorityRank, } from "./shared.js";
+import { buildFindingFollowupTask, findingContexts } from "./findingFollowup.js";
+import { buildConflictFollowupTask, conflictGroups } from "./conflict.js";
+import { buildHighRiskCleanFollowupTask, isHighRiskCleanResult, } from "./highRiskClean.js";
+import { buildRuntimeValidationFollowupTask, runtimeResultNeedsFollowup, runtimeValidationHasStrongStaticFinding, } from "./runtimeValidation.js";
+import { buildLensVerificationTasks } from "./lensVerification.js";
+import { buildVerificationFollowupTasks } from "./stewardFollowup.js";
+/**
+ * Build the bounded set of selective-deepening follow-up tasks. Each strategy
+ * (finding-followup, conflict, steward-followup, runtime-validation, lens-
+ * verification, high-risk-clean) lives in its own module under this directory;
+ * this entry sequences them and enforces the shared budget (`effectiveMax`,
+ * `maxTotalDeepeningTasks`) and dedupe (via `pushIfNew`). Task ordering, caps,
+ * and dedupe are unchanged from the former single-file implementation.
+ */
+export function buildSelectiveDeepeningTasks(options) {
+    const taskById = new Map((options.existingTasks ?? []).map((task) => [task.task_id, task]));
+    const existingTasks = options.existingTasks ?? [];
+    const existingIds = new Set(taskById.keys());
+    const maxTasks = options.maxTasks ?? DEFAULT_MAX_DEEPENING_TASKS;
+    const maxTotalDeepeningTasks = options.maxTotalDeepeningTasks ?? DEFAULT_MAX_TOTAL_DEEPENING_TASKS;
+    const existingDeepeningCount = existingTasks.filter((task) => isDeepeningTask(task)).length;
+    if (existingDeepeningCount >= maxTotalDeepeningTasks) {
+        return [];
+    }
+    const remainingBudget = maxTotalDeepeningTasks - existingDeepeningCount;
+    const effectiveMax = Math.min(maxTasks, remainingBudget);
+    const created = [];
+    function pushIfNew(task) {
+        if (created.length >= effectiveMax || existingIds.has(task.task_id)) {
+            return;
+        }
+        existingIds.add(task.task_id);
+        created.push(task);
+    }
+    const contexts = findingContexts(options.results, taskById);
+    for (const context of contexts) {
+        const triggers = [];
+        if (SEVERITY_RANK[context.finding.severity] >= SEVERITY_RANK.high) {
+            triggers.push("high_severity");
+        }
+        if (context.finding.confidence === "low") {
+            triggers.push("low_confidence");
+        }
+        if (triggers.length === 0) {
+            continue;
+        }
+        pushIfNew(buildFindingFollowupTask({
+            result: context.result,
+            task: context.task,
+            finding: context.finding,
+            triggers,
+            lineIndex: options.lineIndex,
+        }));
+    }
+    for (const [key, group] of [...conflictGroups(contexts).entries()].sort(([a], [b]) => a.localeCompare(b))) {
+        pushIfNew(buildConflictFollowupTask({
+            contexts: group,
+            conflictKey: key,
+            lineIndex: options.lineIndex,
+        }));
+    }
+    for (const result of options.results) {
+        const task = taskById.get(result.task_id);
+        for (const followupTask of buildVerificationFollowupTasks({
+            result,
+            task,
+            lineIndex: options.lineIndex,
+        })) {
+            pushIfNew(followupTask);
+        }
+    }
+    const runtimeTaskById = new Map((options.runtimeValidationTasks?.tasks ?? []).map((task) => [
+        task.id,
+        task,
+    ]));
+    for (const result of [...(options.runtimeValidationReport?.results ?? [])].sort((a, b) => a.task_id.localeCompare(b.task_id))) {
+        if (!runtimeResultNeedsFollowup(result.status)) {
+            continue;
+        }
+        const runtimeTask = runtimeTaskById.get(result.task_id);
+        if (!runtimeTask || runtimeTask.target_paths.length === 0) {
+            continue;
+        }
+        if (runtimeValidationHasStrongStaticFinding(runtimeTask, contexts)) {
+            continue;
+        }
+        const relatedTasks = existingTasks.filter((task) => !isDeepeningTask(task) && intersects(task.file_paths, runtimeTask.target_paths));
+        pushIfNew(buildRuntimeValidationFollowupTask({
+            runtimeTask,
+            runtimeResultStatus: result.status,
+            relatedTasks,
+            results: options.results,
+            lineIndex: options.lineIndex,
+        }));
+    }
+    for (const task of buildLensVerificationTasks({
+        existingTasks,
+        results: options.results,
+        lineIndex: options.lineIndex,
+        externalAnalyzerResults: options.externalAnalyzerResults,
+    })) {
+        pushIfNew(task);
+    }
+    const cleanResults = options.results
+        .map((result) => ({ result, task: taskById.get(result.task_id) }))
+        .filter(({ result, task }) => isHighRiskCleanResult(result, task))
+        .sort((a, b) => {
+        const priorityDelta = priorityRank(b.task?.priority) - priorityRank(a.task?.priority);
+        if (priorityDelta !== 0)
+            return priorityDelta;
+        return a.result.task_id.localeCompare(b.result.task_id);
+    });
+    for (const { result, task } of cleanResults) {
+        pushIfNew(buildHighRiskCleanFollowupTask({
+            result,
+            task,
+            lineIndex: options.lineIndex,
+        }));
+    }
+    return created;
+}
+export const selectiveDeepeningTestUtils = {
+    DEEPENING_TAG,
+    LENS_VERIFICATION_TAG,
+    LENS_VERIFICATION_FOLLOWUP_TAG,
+    DEFAULT_MAX_TOTAL_DEEPENING_TASKS,
+};

package/dist/orchestrator/selectiveDeepening/lensVerification.d.ts

@@ -0,0 +1,12 @@
+import type { AuditResult, AuditTask } from "../../types.js";
+import type { ExternalAnalyzerResults } from "../../types/externalAnalyzer.js";
+export interface LensVerificationSource {
+    result: AuditResult;
+    task?: AuditTask;
+}
+export declare function buildLensVerificationTasks(params: {
+    existingTasks: AuditTask[];
+    results: AuditResult[];
+    lineIndex?: Record<string, number>;
+    externalAnalyzerResults?: ExternalAnalyzerResults;
+}): AuditTask[];