auditor-lambda 0.9.1 → 0.9.2

package/audit-code-wrapper-lib.mjs

@@ -1277,6 +1277,11 @@ async function copyClaudeDesktopBundleFiles(bundleRoot, serverRoot) {
   await mkdir(serverRoot, { recursive: true });
   await cp(distEntry.replace(/dist[\\/]index\.js$/, 'dist'), join(bundleRoot, 'dist'), { recursive: true, force: true });
   await cp(join(repoRoot, 'schemas'), join(bundleRoot, 'schemas'), { recursive: true, force: true });
+  // dist/cli/dispatch.js reads dispatch/lens-definitions.json from the package
+  // root at runtime, so the bundle must ship the top-level dispatch/ data dir
+  // (lens-definitions.json + the standalone validate/merge helpers) the same way
+  // the npm `files` array does. Omitting it ENOENTs the first dispatch step.
+  await cp(join(repoRoot, 'dispatch'), join(bundleRoot, 'dispatch'), { recursive: true, force: true });
   await cp(join(repoRoot, 'skills', 'audit-code'), join(bundleRoot, 'skills', 'audit-code'), { recursive: true, force: true });
   await writeFile(join(bundleRoot, 'audit-code.mjs'), await readFile(join(repoRoot, 'audit-code.mjs')));
   await writeFile(join(bundleRoot, 'audit-code-wrapper-lib.mjs'), await readFile(join(repoRoot, 'audit-code-wrapper-lib.mjs')));

package/dispatch/merge-results.mjs

@@ -15,7 +15,7 @@ const artifactsDir = artifactsDirIdx !== -1 && process.argv[artifactsDirIdx + 1]
   : join(process.cwd(), ".audit-artifacts");
 
 const taskResultsDir = join(artifactsDir, "runs", runId, "task-results");
-const auditResultsPath = join(artifactsDir, "runs", runId, "audit-results.json");
+const auditResultsPath = join(artifactsDir, "runs", runId, "run-results.json");
 const failedTasksPath = join(artifactsDir, "runs", runId, "failed-tasks.json");
 const tasksPath = join(artifactsDir, "runs", runId, "pending-audit-tasks.json");
 

package/dist/cli/mergeAndIngestCommand.js

@@ -14,9 +14,28 @@ export async function cmdMergeAndIngest(argv) {
     const artifactsDir = getArtifactsDir(argv);
     const runDir = join(artifactsDir, "runs", runId);
     const taskResultsDir = join(runDir, "task-results");
-    const auditResultsPath = join(runDir, "audit-results.json");
+    const auditResultsPath = join(runDir, "run-results.json");
     const taskPath = join(runDir, "task.json");
     const tasksPath = join(runDir, "pending-audit-tasks.json");
+    const mergeCompletePath = join(runDir, "merge-complete.json");
+    // Idempotency: a fully-merged run is terminal. A stray re-invocation for the
+    // same run-id (e.g. after the run already advanced to the next deepening
+    // round, which rewrites this run dir's pending-audit-tasks.json to the *next*
+    // round's tasks) must be a clean no-op — not a spurious "all results missing"
+    // hard failure that also truncates the transient results file. Replay the
+    // recorded summary and exit 0.
+    let priorSummary = null;
+    try {
+        priorSummary = await readJsonFile(mergeCompletePath);
+    }
+    catch (e) {
+        if (!isFileMissingError(e))
+            throw e;
+    }
+    if (priorSummary) {
+        console.log(JSON.stringify({ ...priorSummary, idempotent_replay: true }, null, 2));
+        return;
+    }
     const workerTask = await readJsonFile(taskPath);
     const resultMap = await loadDispatchResultMap(runDir);
     if (!resultMap) {
@@ -42,7 +61,7 @@ export async function cmdMergeAndIngest(argv) {
     const passing = [];
     const failing = [];
     const seenTaskIds = new Set();
-    let spuriousFileCount = 0;
+    const spuriousFiles = [];
     const fallbackByTaskId = new Map();
     for (const filename of files) {
         const filePath = resolve(join(taskResultsDir, filename));
@@ -68,10 +87,16 @@ export async function cmdMergeAndIngest(argv) {
         // task-results/ dir are legitimate and must not inflate the count or bury
         // the real stray-file signal (3 -> 191 over a run before this fix).
         if (!isCanonicalResultFilename(filename)) {
-            spuriousFileCount++;
-            process.stderr.write(`[merge-and-ingest] Warning: unexpected file in task-results/: ${filename}\n`);
+            spuriousFiles.push(filename);
         }
     }
+    // Collapse stray-file warnings into a single stderr line so the real summary
+    // (emitted as the sole stdout JSON payload) is never buried under a wall of
+    // per-file warnings.
+    if (spuriousFiles.length > 0) {
+        process.stderr.write(`[merge-and-ingest] Warning: ${spuriousFiles.length} unexpected file(s) in ` +
+            `task-results/ ignored: ${spuriousFiles.join(", ")}\n`);
+    }
     for (const task of allTasks) {
         const entry = entryByTaskId.get(task.task_id);
         if (!entry) {
@@ -134,14 +159,18 @@ export async function cmdMergeAndIngest(argv) {
             failing.push({ task_id: taskId ?? task.task_id, errors: resultErrors });
         }
     }
-    await writeJsonFile(auditResultsPath, passing);
     const failedTasksPath = join(runDir, "failed-tasks.json");
     if (failing.length > 0) {
         await writeJsonFile(failedTasksPath, failing);
     }
     if (passing.length === 0 && failing.length > 0) {
+        // Nothing merged and at least one failure: a blocked no-op. Do NOT write the
+        // transient results file here — truncating it to [] reads as catastrophic
+        // data loss on a re-run when the cumulative audit_results.jsonl store is in
+        // fact intact and the first merge had simply already succeeded.
         throw new Error(`All ${failing.length} assigned task result(s) were missing or invalid; blocked before ingestion. See ${failedTasksPath}`);
     }
+    await writeJsonFile(auditResultsPath, passing);
     const findingCount = passing.reduce((sum, result) => sum + result.findings.length, 0);
     let result = null;
     if (passing.length > 0) {
@@ -197,12 +226,12 @@ export async function cmdMergeAndIngest(argv) {
         errors: [],
     });
     await writeJsonFile(workerTask.result_path, workerResult);
-    console.log(JSON.stringify({
+    const summaryPayload = {
         run_id: runId,
         status,
         accepted_count: passing.length,
         rejected_count: failing.length,
-        spurious_file_count: spuriousFileCount,
+        spurious_file_count: spuriousFiles.length,
         finding_count: findingCount,
         audit_results_path: auditResultsPath,
         ...(retryDispatchPath ? { retry_dispatch_path: retryDispatchPath } : {}),
@@ -212,7 +241,15 @@ export async function cmdMergeAndIngest(argv) {
             progress_summary: workerResult.summary,
             next_likely_step: workerResult.next_likely_step,
         } : {}),
-    }, null, 2));
+    };
+    // Record a completion marker for a fully-merged run so a stray re-invocation
+    // replays this summary (above) instead of re-processing — and possibly
+    // clobbering — terminal state. Only on full success: a partial merge is meant
+    // to be re-run after the failed packets are retried, so it stays replayable.
+    if (failing.length === 0) {
+        await writeJsonFile(mergeCompletePath, summaryPayload);
+    }
+    console.log(JSON.stringify(summaryPayload, null, 2));
     if (failing.length > 0) {
         process.exitCode = 2;
     }

package/dist/cli/nextStepCommand.js

@@ -35,6 +35,42 @@ async function runDeterministicForNextStep(params) {
     const FINALIZATION_CYCLE_TOLERANCE = 16;
     const seenStateSignatures = new Set();
     const obligationTrail = [];
+    // Build the terminal step for a deterministic loop that has stopped advancing
+    // (hit the run backstop or the finalization cycle guard). A rendered report is
+    // the deliverable: if synthesis already produced one — or the state is formally
+    // complete — present it instead of reporting the stopped loop as a bare
+    // "blocked" failure. A completed audit must never surface as blocked just
+    // because finalization kept churning (e.g. a runtime_validation <-> synthesis
+    // ping-pong, or revision churn from filesystem retries) after the report was
+    // written. With no report yet, the stop is a genuine block.
+    async function terminalStep(bundle, state, blockedReason) {
+        const reportRendered = state.status === "complete" || Boolean(bundle.audit_report);
+        await writeHandoffOnly({
+            root: params.root,
+            artifactsDir: params.artifactsDir,
+            bundle,
+            audit_state: state,
+            progress_summary: reportRendered && state.status !== "complete"
+                ? `Audit report already rendered; ending run. ${blockedReason}`
+                : blockedReason,
+            providerName: LOCAL_SUBPROCESS_PROVIDER_NAME,
+        });
+        if (!reportRendered) {
+            return { kind: "blocked", state, bundle, reason: blockedReason };
+        }
+        const promoted = await promoteFinalAuditReport({
+            artifactsDir: params.artifactsDir,
+            repoRoot: params.root,
+        });
+        return {
+            kind: "complete",
+            state,
+            bundle,
+            finalReportPath: promoted.promoted
+                ? join(params.root, AUDIT_REPORT_FILENAME)
+                : join(params.artifactsDir, AUDIT_REPORT_FILENAME),
+        };
+    }
     for (let index = 0; index < params.maxRuns; index++) {
         const bundle = await loadArtifactBundle(params.artifactsDir);
         const decision = decideNextStep(bundle);
@@ -318,24 +354,14 @@ async function runDeterministicForNextStep(params) {
                     `progress; stopping. Cycling obligations: ${cycle.join(" -> ")}.`,
                 timestamp: new Date().toISOString(),
             });
-            return {
-                kind: "blocked",
-                state: result.audit_state,
-                bundle: result.updated_bundle,
-                reason: "Finalization is not converging: deterministic executors kept revisiting " +
-                    `prior artifact states (${cycle.join(" -> ")}). The report has been ` +
-                    "rendered; review whether these obligations are erroneously invalidating each other.",
-            };
+            return await terminalStep(result.updated_bundle, result.audit_state, "Finalization is not converging: deterministic executors kept revisiting " +
+                `prior artifact states (${cycle.join(" -> ")}). Review whether these ` +
+                "obligations are erroneously invalidating each other.");
         }
     }
     const bundle = await loadArtifactBundle(params.artifactsDir);
     const state = deriveAuditState(bundle);
-    return {
-        kind: "blocked",
-        state,
-        bundle,
-        reason: `Reached max run limit (${params.maxRuns}) before a review, report, or blocker step was ready.`,
-    };
+    return await terminalStep(bundle, state, `Reached max run limit (${params.maxRuns}) before a review, report, or blocker step was ready.`);
 }
 export async function cmdNextStep(argv) {
     const root = getRootDir(argv);

package/dist/cli/reviewRun.js

@@ -90,7 +90,7 @@ export async function ensureSemanticReviewRun(params) {
     const paths = getRunPaths(params.artifactsDir, runId);
     const pendingTasks = await addFileLineCountHints(params.root, buildPendingAuditTasks(params.bundle));
     const pendingTasksPath = join(paths.runDir, "pending-audit-tasks.json");
-    const auditResultsPath = join(paths.runDir, "audit-results.json");
+    const auditResultsPath = join(paths.runDir, "run-results.json");
     const taskReadPaths = new Set();
     for (const pt of pendingTasks) {
         for (const fp of pt.file_paths)

package/dist/cli/runToCompletion.js

@@ -70,7 +70,7 @@ async function buildParallelWaveSlots(params) {
         runCount += 1;
         const slotRunId = buildRunId(obligationId, runCount);
         const slotPaths = getRunPaths(artifactsDir, slotRunId);
-        const slotAuditResultsPath = join(slotPaths.runDir, "audit-results.json");
+        const slotAuditResultsPath = join(slotPaths.runDir, "run-results.json");
         const slotPendingTasksPath = join(slotPaths.runDir, "pending-audit-tasks.json");
         const slotReadPaths = new Set();
         for (const t of group) {
@@ -398,7 +398,7 @@ async function runSingleWorkerStep(params) {
         ? join(paths.runDir, "pending-audit-tasks.json")
         : undefined;
     const providerAuditResultsPath = preferredExecutor === "agent"
-        ? join(paths.runDir, "audit-results.json")
+        ? join(paths.runDir, "run-results.json")
         : auditResultsPath;
     const providerReadPaths = new Set();
     if (pendingAuditTasks) {
@@ -694,7 +694,7 @@ export async function cmdRunToCompletion(argv) {
             const blockPaths = getRunPaths(artifactsDir, blockRunId);
             const blockPendingTasks = await addFileLineCountHints(root, buildPendingAuditTasks(bundle));
             const blockPendingTasksPath = join(blockPaths.runDir, "pending-audit-tasks.json");
-            const blockAuditResultsPath = join(blockPaths.runDir, "audit-results.json");
+            const blockAuditResultsPath = join(blockPaths.runDir, "run-results.json");
             const blockReadPaths = new Set();
             for (const pt of blockPendingTasks) {
                 for (const fp of pt.file_paths)
@@ -1031,23 +1031,36 @@ export async function cmdRunToCompletion(argv) {
     const bundle = await loadArtifactBundle(artifactsDir);
     const decision = decideNextStep(bundle);
     const state = decision.state;
-    if (state.status === "complete") {
+    // A rendered report is the deliverable: if synthesis already produced one (or
+    // the state is formally complete), finish the run on it instead of stranding
+    // it in the artifacts dir behind a bare "max run limit" non-completion. This
+    // mirrors next-step's terminalStep so both loops present a completed audit the
+    // same way, even when finalization churned (runtime_validation <-> synthesis
+    // ping-pong, or filesystem-retry revision churn) up to the backstop. With no
+    // report yet, the run limit is a genuine non-terminal stop.
+    const reportRendered = state.status === "complete" || Boolean(bundle.audit_report);
+    if (reportRendered) {
         await clearDispatchFiles(artifactsDir);
     }
+    const terminalState = reportRendered && state.status !== "complete"
+        ? { ...state, status: "complete" }
+        : state;
     await emitEnvelope({
         root,
         artifactsDir,
         bundle,
-        audit_state: state,
+        audit_state: terminalState,
         selected_obligation: lastResult?.obligation_id ?? decision.selected_obligation,
         selected_executor: lastResult?.selected_executor ?? decision.selected_executor,
         progress_made: anyProgress,
         artifacts_written: Array.from(artifactsWritten),
-        progress_summary: `Reached max run limit (${maxRuns}) before terminal state.`,
-        next_likely_step: state.status === "complete" ? null : decision.selected_obligation,
+        progress_summary: reportRendered && state.status !== "complete"
+            ? `Audit report already rendered; completing the run after reaching the max run limit (${maxRuns}) during finalization.`
+            : `Reached max run limit (${maxRuns}) before terminal state.`,
+        next_likely_step: reportRendered ? null : decision.selected_obligation,
         providerName: provider.name,
     });
-    if (state.status === "complete") {
+    if (reportRendered) {
         await promoteFinalAuditReport({ artifactsDir, repoRoot: root });
     }
 }

package/dist/supervisor/operatorHandoff.js

@@ -252,7 +252,12 @@ export function buildAuditCodeHandoff(params) {
             current_task: artifactPaths.current_task,
             current_prompt: artifactPaths.current_prompt,
             audit_results: params.activeReviewRun.audit_results_path,
-            final_report: join(params.root, AUDIT_REPORT_FILENAME),
+            // Synthesis writes the report into the artifacts dir; it is only promoted
+            // to <repo-root>/audit-report.md at completion (which then removes the
+            // artifacts dir). A blocked-for-review handoff happens before that, so the
+            // advertised deliverable must point at its real mid-run location, not the
+            // repo-root path that does not exist yet.
+            final_report: join(params.artifactsDir, AUDIT_REPORT_FILENAME),
         };
     }
     return handoff;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auditor-lambda",
-  "version": "0.9.1",
+  "version": "0.9.2",
   "private": false,
   "description": "Portable hybrid code-auditing framework for arbitrary repositories.",
   "type": "module",