chorus-codes 0.8.41 → 0.8.43

package/.next/trace-build

@@ -1 +1 @@
-[{"name":"run-webpack","duration":10925511,"timestamp":7691415813440,"id":14,"parentId":1,"tags":{},"startTime":1779082786239,"traceId":"847ee5841caa0bf6"},{"name":"run-typescript","duration":5869924,"timestamp":7691426742054,"id":2118,"parentId":1,"tags":{},"startTime":1779082797168,"traceId":"847ee5841caa0bf6"},{"name":"static-check","duration":398874,"timestamp":7691432660346,"id":2121,"parentId":1,"tags":{},"startTime":1779082803086,"traceId":"847ee5841caa0bf6"},{"name":"static-generation","duration":1233892,"timestamp":7691433265920,"id":2161,"parentId":1,"tags":{},"startTime":1779082803692,"traceId":"847ee5841caa0bf6"},{"name":"collect-build-traces","duration":6179439,"timestamp":7691433059635,"id":2158,"parentId":1,"tags":{},"startTime":1779082803486,"traceId":"847ee5841caa0bf6"},{"name":"telemetry-flush","duration":34,"timestamp":7691439241163,"id":2170,"parentId":1,"tags":{},"startTime":1779082809667,"traceId":"847ee5841caa0bf6"},{"name":"next-build","duration":23548297,"timestamp":7691415692910,"id":1,"tags":{"buildMode":"default","version":"16.2.4","bundler":"webpack","has-custom-webpack-config":"false","use-build-worker":"true"},"startTime":1779082786119,"traceId":"847ee5841caa0bf6"}]
+[{"name":"run-webpack","duration":10832690,"timestamp":7806834919587,"id":14,"parentId":1,"tags":{},"startTime":1779198205346,"traceId":"f204945893d550b9"},{"name":"run-typescript","duration":5891330,"timestamp":7806845755201,"id":2118,"parentId":1,"tags":{},"startTime":1779198216181,"traceId":"f204945893d550b9"},{"name":"static-check","duration":420785,"timestamp":7806851694323,"id":2121,"parentId":1,"tags":{},"startTime":1779198222120,"traceId":"f204945893d550b9"},{"name":"static-generation","duration":1348831,"timestamp":7806852286026,"id":2161,"parentId":1,"tags":{},"startTime":1779198222712,"traceId":"f204945893d550b9"},{"name":"collect-build-traces","duration":6088026,"timestamp":7806852115523,"id":2158,"parentId":1,"tags":{},"startTime":1779198222542,"traceId":"f204945893d550b9"},{"name":"telemetry-flush","duration":30,"timestamp":7806858205164,"id":2170,"parentId":1,"tags":{},"startTime":1779198228631,"traceId":"f204945893d550b9"},{"name":"next-build","duration":23369493,"timestamp":7806834835710,"id":1,"tags":{"buildMode":"default","version":"16.2.4","bundler":"webpack","has-custom-webpack-config":"false","use-build-worker":"true"},"startTime":1779198205262,"traceId":"f204945893d550b9"}]

package/dist/cli/commands/audit.js

@@ -0,0 +1,201 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports._testing = void 0;
+exports.registerAuditCommand = registerAuditCommand;
+const path = __importStar(require("path"));
+const daemon_discovery_js_1 = require("../../lib/daemon-discovery.js");
+const audit_pack_js_1 = require("../../lib/audit-pack.js");
+const ui_js_1 = require("../ui.js");
+const DEFAULT_TEMPLATE = 'review-only';
+const VALID_FOCUS = new Set(['security', 'correctness', 'performance', 'maintainability', 'all']);
+/**
+ * Daemon HTTP timeout. Audit POSTs to /chats with the assembled
+ * artifact — if the daemon stalls (libsql lock, OOM, etc.) the CLI
+ * should fail fast with a clear message rather than hang. 30s matches
+ * the project's "every external call has a timeout" rule.
+ */
+const DAEMON_FETCH_TIMEOUT_MS = 30_000;
+async function runAudit(targetPath, opts) {
+    console.log('');
+    console.log(`  ${ui_js_1.sym.rocket} ${ui_js_1.c.bold('chorus audit')} ${ui_js_1.c.dim('— multi-LLM review of existing code')}`);
+    console.log('');
+    // 1. Daemon up?
+    const info = (0, daemon_discovery_js_1.readDaemonInfo)();
+    if (!info) {
+        console.log(`  ${ui_js_1.c.red('✗')} daemon not running`);
+        console.log(`     run ${ui_js_1.c.bold('chorus start')} first, then re-run audit`);
+        process.exitCode = 1;
+        return;
+    }
+    const healthy = await (0, daemon_discovery_js_1.isDaemonHealthy)(info.daemonPort, 1500);
+    if (!healthy) {
+        console.log(`  ${ui_js_1.c.red('✗')} daemon not responding on :${info.daemonPort}`);
+        console.log(`     run ${ui_js_1.c.bold('chorus stop && chorus start')} to recycle`);
+        process.exitCode = 1;
+        return;
+    }
+    const baseUrl = opts.daemonUrl ?? `http://127.0.0.1:${info.daemonPort}`;
+    // 2. Validate --focus before doing any filesystem work. A bad
+    // --focus value should fail in milliseconds, not after a slow walk.
+    const focus = opts.focus ?? 'all';
+    if (!VALID_FOCUS.has(focus)) {
+        console.log(`  ${ui_js_1.c.red('✗')} --focus must be one of: ${[...VALID_FOCUS].join(', ')}`);
+        process.exitCode = 1;
+        return;
+    }
+    // 3. Resolve + validate path.
+    const rootAbs = path.resolve(process.cwd(), targetPath);
+    let files;
+    try {
+        files = (0, audit_pack_js_1.walkAuditPath)(rootAbs);
+    }
+    catch (err) {
+        if (err instanceof audit_pack_js_1.AuditPackError) {
+            console.log(`  ${ui_js_1.c.red('✗')} ${err.message}`);
+        }
+        else if (err instanceof Error && 'code' in err && err.code === 'ENOENT') {
+            console.log(`  ${ui_js_1.c.red('✗')} path not found: ${rootAbs}`);
+        }
+        else {
+            console.log(`  ${ui_js_1.c.red('✗')} ${err instanceof Error ? err.message : String(err)}`);
+        }
+        process.exitCode = 1;
+        return;
+    }
+    // 4. Assemble the artifact.
+    const scope = opts.scope ?? path.basename(rootAbs);
+    const focusPara = (0, audit_pack_js_1.focusParagraph)(focus);
+    let pack;
+    try {
+        pack = (0, audit_pack_js_1.assembleAuditArtifact)(rootAbs, files, { scope, focusParagraph: focusPara });
+    }
+    catch (err) {
+        if (err instanceof audit_pack_js_1.AuditPackError) {
+            console.log(`  ${ui_js_1.c.red('✗')} ${err.message}`);
+        }
+        else {
+            console.log(`  ${ui_js_1.c.red('✗')} ${err instanceof Error ? err.message : String(err)}`);
+        }
+        process.exitCode = 1;
+        return;
+    }
+    console.log(`  ${ui_js_1.c.green('✓')} packed ${ui_js_1.c.bold(String(pack.filesIncluded.length))} file${pack.filesIncluded.length === 1 ? '' : 's'} ${ui_js_1.c.gray(`(${pack.totalBytes} bytes)`)}`);
+    if (pack.filesSkipped.length > 0) {
+        console.log(`  ${ui_js_1.c.gray('·')} skipped ${pack.filesSkipped.length} (extension / read failure)`);
+    }
+    // 5. Resolve template — must be review-only kind so audit framing
+    // composes. Daemon will reject artifact on full-pipeline templates
+    // anyway; this is a friendlier upfront message.
+    const templateId = opts.template ?? DEFAULT_TEMPLATE;
+    console.log(`  ${ui_js_1.c.gray('·')} template: ${ui_js_1.c.bold(templateId)}`);
+    // 6. Build the audit-framed work brief.
+    const work = (0, audit_pack_js_1.buildAuditWork)(scope, focusPara);
+    // 7. Fire the chat. AbortSignal.timeout closes the connection if the
+    // daemon hangs — failing fast beats blocking the terminal forever.
+    let chatRes;
+    try {
+        chatRes = await fetch(`${baseUrl}/chats`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                work,
+                templateId,
+                artifact: pack.artifact,
+            }),
+            signal: AbortSignal.timeout(DAEMON_FETCH_TIMEOUT_MS),
+        });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        const timedOut = err instanceof Error && (err.name === 'TimeoutError' || err.name === 'AbortError');
+        if (timedOut) {
+            console.log(`  ${ui_js_1.c.red('✗')} chat create timed out after ${DAEMON_FETCH_TIMEOUT_MS}ms (daemon hung?)`);
+        }
+        else {
+            console.log(`  ${ui_js_1.c.red('✗')} chat create failed: ${msg}`);
+        }
+        process.exitCode = 1;
+        return;
+    }
+    if (!chatRes.ok) {
+        const text = await chatRes.text().catch(() => '');
+        console.log(`  ${ui_js_1.c.red('✗')} chat create failed: ${chatRes.status} ${text.slice(0, 400)}`);
+        if (chatRes.status === 400 && text.includes('review-only')) {
+            console.log('');
+            console.log(`     ${ui_js_1.c.gray('hint: --template must point at a review_only template')}`);
+            console.log(`     ${ui_js_1.c.gray('the default ')}${ui_js_1.c.bold(DEFAULT_TEMPLATE)}${ui_js_1.c.gray(' is review_only; full-pipeline templates with a doer slot are not audit-compatible')}`);
+        }
+        process.exitCode = 1;
+        return;
+    }
+    const chatEnv = (await chatRes.json());
+    const chatId = chatEnv.data?.id;
+    if (!chatId) {
+        console.log(`  ${ui_js_1.c.red('✗')} chat create returned no id`);
+        process.exitCode = 1;
+        return;
+    }
+    const cockpitUrl = `http://127.0.0.1:${info.cockpitPort}`;
+    console.log('');
+    console.log(`  ${ui_js_1.c.green('✓')} audit fired ${ui_js_1.c.gray('(id: ' + chatId + ')')}`);
+    console.log(`     watch live: ${ui_js_1.c.cyan(`${cockpitUrl}/runs/${chatId}`)}`);
+    console.log('');
+    console.log(`  ${ui_js_1.c.gray('reviewers run in the background — close this terminal and check the cockpit later')}`);
+    console.log('');
+}
+function registerAuditCommand(program) {
+    program
+        .command('audit')
+        .description('Multi-LLM review of existing production code. Reads <path>, packs source files, fires a review-only chat.')
+        .argument('<path>', 'file or directory to audit')
+        .option('--scope <name>', 'human label for the audit scope (defaults to path basename)')
+        .option('--focus <area>', 'audit focus: security | correctness | performance | maintainability | all', 'all')
+        .option('--template <id>', 'override the review-only template used for the fleet', DEFAULT_TEMPLATE)
+        .action(async (targetPath, options) => {
+        try {
+            await runAudit(targetPath, options);
+        }
+        catch (err) {
+            console.error('audit failed:', err instanceof Error ? err.message : err);
+            process.exit(1);
+        }
+    });
+}
+exports._testing = {
+    DEFAULT_TEMPLATE,
+    VALID_FOCUS,
+};
+//# sourceMappingURL=audit.js.map

package/dist/cli/commands/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../../src/cli/commands/audit.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiLA,oDAsBC;AA1LD,2CAA6B;AAC7B,uEAAgF;AAChF,2DAMiC;AACjC,oCAAkC;AASlC,MAAM,gBAAgB,GAAG,aAAa,CAAC;AACvC,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,aAAa,EAAE,aAAa,EAAE,iBAAiB,EAAE,KAAK,CAAC,CAAC,CAAC;AAElG;;;;;GAKG;AACH,MAAM,uBAAuB,GAAG,MAAM,CAAC;AAEvC,KAAK,UAAU,QAAQ,CAAC,UAAkB,EAAE,IAAkB;IAC5D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,WAAG,CAAC,MAAM,IAAI,SAAC,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,SAAC,CAAC,GAAG,CAAC,qCAAqC,CAAC,EAAE,CAAC,CAAC;IACzG,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,gBAAgB;IAChB,MAAM,IAAI,GAAG,IAAA,oCAAc,GAAE,CAAC;IAC9B,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,GAAG,CAAC,KAAK,SAAC,CAAC,GAAG,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;QAClD,OAAO,CAAC,GAAG,CAAC,YAAY,SAAC,CAAC,IAAI,CAAC,cAAc,CAAC,2BAA2B,CAAC,CAAC;QAC3E,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,IAAA,qCAAe,EAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IAC7D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,CAAC,GAAG,CAAC,KAAK,SAAC,CAAC,GAAG,CAAC,GAAG,CAAC,8BAA8B,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;QAC5E,OAAO,CAAC,GAAG,CAAC,YAAY,SAAC,CAAC,IAAI,CAAC,6BAA6B,CAAC,aAAa,CAAC,CAAC;QAC5E,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,IAAI,oBAAoB,IAAI,CAAC,UAAU,EAAE,CAAC;IAExE,8DAA8D;IAC9D,oEAAoE;IACpE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC;IAClC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,KAAK,SAAC,CAAC,GAAG,CAAC,GAAG,CAAC,4BAA4B,CAAC,GAAG,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACtF,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IAED,8BAA8B;IAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CAAC;IACxD,IAAI,KAAe,CAAC;IACpB,IAAI,CAAC;QACH,KAAK,GAAG,IAAA,6BAAa,EAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,8BAAc,EAAE,CAAC;YAClC,OAAO,CAAC,GAAG,CAAC,KAAK,SAAC,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QAChD,CAAC;aAAM,IAAI,GAAG,YAAY,KAAK,IAAI,MAAM,IAAI,GAAG,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrG,OAAO,CAAC,GAAG,CAAC,KAAK,SAAC,CAAC,GAAG,CAAC,GAAG,CAAC,oBAAoB,OAAO,EAAE,CAAC,CAAC;QAC5D,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,KAAK,SAAC,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACrF,CAAC;QACD,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IAED,4BAA4B;IAC5B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACnD,MAAM,SAAS,GAAG,IAAA,8BAAc,EAAC,KAAK,CAAC,CAAC;IACxC,IAAI,IAAI,CAAC;IACT,IAAI,CAAC;QACH,IAAI,GAAG,IAAA,qCAAqB,EAAC,OAAO,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,cAAc,EAAE,SAAS,EAAE,CAAC,CAAC;IACrF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,8BAAc,EAAE,CAAC;YAClC,OAAO,CAAC,GAAG,CAAC,KAAK,SAAC,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QAChD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,KAAK,SAAC,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACrF,CAAC;QACD,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IAED,OAAO,CAAC,GAAG,CACT,KAAK,SAAC,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,SAAC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,QAAQ,IAAI,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,IAAI,SAAC,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,SAAS,CAAC,EAAE,CAClK,CAAC;IACF,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,KAAK,SAAC,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,IAAI,CAAC,YAAY,CAAC,MAAM,6BAA6B,CAAC,CAAC;IACjG,CAAC;IAED,kEAAkE;IAClE,mEAAmE;IACnE,gDAAgD;IAChD,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,IAAI,gBAAgB,CAAC;IACrD,OAAO,CAAC,GAAG,CAAC,KAAK,SAAC,CAAC,IAAI,CAAC,GAAG,CAAC,cAAc,SAAC,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;IAEhE,wCAAwC;IACxC,MAAM,IAAI,GAAG,IAAA,8BAAc,EAAC,KAAK,EAAE,SAAS,CAAC,CAAC;IAE9C,qEAAqE;IACrE,mEAAmE;IACnE,IAAI,OAAiB,CAAC;IACtB,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,QAAQ,EAAE;YACxC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,IAAI;gBACJ,UAAU;gBACV,QAAQ,EAAE,IAAI,CAAC,QAAQ;aACxB,CAAC;YACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAuB,CAAC;SACrD,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,MAAM,QAAQ,GAAG,GAAG,YAAY,KAAK,IAAI,CAAC,GAAG,CAAC,IAAI,KAAK,cAAc,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC;QACpG,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,CAAC,GAAG,CAAC,KAAK,SAAC,CAAC,GAAG,CAAC,GAAG,CAAC,gCAAgC,uBAAuB,mBAAmB,CAAC,CAAC;QACzG,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,KAAK,SAAC,CAAC,GAAG,CAAC,GAAG,CAAC,wBAAwB,GAAG,EAAE,CAAC,CAAC;QAC5D,CAAC;QACD,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;QAChB,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QAClD,OAAO,CAAC,GAAG,CAAC,KAAK,SAAC,CAAC,GAAG,CAAC,GAAG,CAAC,wBAAwB,OAAO,CAAC,MAAM,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;QAC3F,IAAI,OAAO,CAAC,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YAC3D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,QAAQ,SAAC,CAAC,IAAI,CAAC,uDAAuD,CAAC,EAAE,CAAC,CAAC;YACvF,OAAO,CAAC,GAAG,CAAC,QAAQ,SAAC,CAAC,IAAI,CAAC,cAAc,CAAC,GAAG,SAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,GAAG,SAAC,CAAC,IAAI,CAAC,oFAAoF,CAAC,EAAE,CAAC,CAAC;QAC1K,CAAC;QACD,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAA8B,CAAC;IACpE,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;IAChC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,CAAC,GAAG,CAAC,KAAK,SAAC,CAAC,GAAG,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;QAC1D,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IAED,MAAM,UAAU,GAAG,oBAAoB,IAAI,CAAC,WAAW,EAAE,CAAC;IAC1D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,SAAC,CAAC,KAAK,CAAC,GAAG,CAAC,gBAAgB,SAAC,CAAC,IAAI,CAAC,OAAO,GAAG,MAAM,GAAG,GAAG,CAAC,EAAE,CAAC,CAAC;IAC/E,OAAO,CAAC,GAAG,CAAC,oBAAoB,SAAC,CAAC,IAAI,CAAC,GAAG,UAAU,SAAS,MAAM,EAAE,CAAC,EAAE,CAAC,CAAC;IAC1E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,SAAC,CAAC,IAAI,CAAC,mFAAmF,CAAC,EAAE,CAAC,CAAC;IAChH,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AAClB,CAAC;AAED,SAAgB,oBAAoB,CAAC,OAAgB;IACnD,OAAO;SACJ,OAAO,CAAC,OAAO,CAAC;SAChB,WAAW,CACV,2GAA2G,CAC5G;SACA,QAAQ,CAAC,QAAQ,EAAE,4BAA4B,CAAC;SAChD,MAAM,CAAC,gBAAgB,EAAE,6DAA6D,CAAC;SACvF,MAAM,CACL,gBAAgB,EAChB,2EAA2E,EAC3E,KAAK,CACN;SACA,MAAM,CAAC,iBAAiB,EAAE,sDAAsD,EAAE,gBAAgB,CAAC;SACnG,MAAM,CAAC,KAAK,EAAE,UAAkB,EAAE,OAAqB,EAAE,EAAE;QAC1D,IAAI,CAAC;YACH,MAAM,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACtC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,eAAe,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC;AAEY,QAAA,QAAQ,GAAG;IACtB,gBAAgB;IAChB,WAAW;CACZ,CAAC"}

package/dist/cli/index.js

@@ -9,6 +9,7 @@ const open_browser_js_1 = require("./open-browser.js");
 const os_1 = __importDefault(require("os"));
 const path_1 = __importDefault(require("path"));
 const daemon_discovery_js_1 = require("../lib/daemon-discovery.js");
+const audit_js_1 = require("./commands/audit.js");
 const diagnose_js_1 = require("./commands/diagnose.js");
 const doctor_js_1 = require("./commands/doctor.js");
 const init_js_1 = require("./commands/init.js");
@@ -65,6 +66,7 @@ program.addHelpText('beforeAll', () => {
 (0, diagnose_js_1.registerDiagnoseCommand)(program);
 (0, update_js_1.registerUpdateCommand)(program);
 (0, quickstart_js_1.registerQuickstartCommand)(program);
+(0, audit_js_1.registerAuditCommand)(program);
 program
     .command('ui')
     .description('Open the Chorus web UI in default browser')

package/dist/cli/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";;;;;AAAA,yCAAoC;AACpC,4CAAoB;AACpB,uDAAgD;AAChD,4CAAoB;AACpB,gDAAwB;AACxB,oEAA+D;AAC/D,wDAAiE;AACjE,oDAA6D;AAC7D,gDAAyD;AACzD,4DAAqE;AACrE,kDAA2D;AAC3D,oDAA6D;AAC7D,gDAAyD;AACzD,oDAA6D;AAC7D,qDAA2E;AAC3E,2CAAkC;AAClC,mCAAsC;AAEtC,MAAM,OAAO,GAAG,IAAI,mBAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,QAAQ,CAAC;KACd,WAAW,CAAC,0DAA0D,CAAC;KACvE,OAAO,CAAC,eAAG,CAAC,OAAO,CAAC,CAAC;AAExB,mEAAmE;AACnE,oEAAoE;AACpE,uEAAuE;AACvE,mEAAmE;AACnE,WAAW;AACX,OAAO,CAAC,WAAW,CAAC,WAAW,EAAE,GAAG,EAAE;IACpC,MAAM,SAAS,GAAG,cAAI,CAAC,IAAI,CAAC,YAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;IACrD,MAAM,MAAM,GAAG,cAAI,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,cAAI,CAAC,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;IACrD,MAAM,WAAW,GAAG,YAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAG,YAAE,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IAEzC,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO;YACL,EAAE;YACF,KAAK,WAAG,CAAC,MAAM,IAAI,SAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,SAAC,CAAC,GAAG,CAAC,8BAA8B,CAAC,EAAE;YACzF,EAAE;YACF,OAAO,SAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,SAAC,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,SAAC,CAAC,GAAG,CAAC,+DAA+D,CAAC,EAAE;YAC5H,OAAO,SAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,SAAC,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,SAAC,CAAC,GAAG,CAAC,+BAA+B,CAAC,EAAE;YAC5F,EAAE;SACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC;IACD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;YACL,EAAE;YACF,KAAK,WAAG,CAAC,OAAO,IAAI,SAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,IAAI,SAAC,CAAC,GAAG,CAAC,mBAAmB,CAAC,EAAE;YAChF,EAAE;YACF,OAAO,SAAC,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE;YAC/B,EAAE;SACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC,CAAC,CAAC;AAEH,IAAA,6BAAmB,EAAC,OAAO,CAAC,CAAC;AAC7B,IAAA,+BAAoB,EAAC,OAAO,CAAC,CAAC;AAC9B,IAAA,6BAAmB,EAAC,OAAO,CAAC,CAAC;AAC7B,IAAA,iCAAqB,EAAC,OAAO,CAAC,CAAC;AAC/B,IAAA,iCAAqB,EAAC,OAAO,CAAC,CAAC;AAC/B,IAAA,qCAAuB,EAAC,OAAO,CAAC,CAAC;AACjC,IAAA,iCAAqB,EAAC,OAAO,CAAC,CAAC;AAC/B,IAAA,yCAAyB,EAAC,OAAO,CAAC,CAAC;AAEnC,OAAO;KACJ,OAAO,CAAC,IAAI,CAAC;KACb,WAAW,CAAC,2CAA2C,CAAC;KACxD,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,iCAAgB,GAAE,CAAC;QAC/B,MAAM,UAAU,GAAG,MAAM,IAAA,uCAAiB,GAAE,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,MAAM,SAAC,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,SAAC,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;QAC3D,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;YACb,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,IAAA,WAAG,EAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;QAC7B,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,IAAI,IAAA,sCAAqB,EAAC,GAAG,CAAC,EAAE,CAAC;YAC/B,MAAM,IAAA,6BAAW,EAAC,UAAU,CAAC,CAAC;YAC9B,OAAO,CAAC,GAAG,CAAC,aAAa,UAAU,KAAK,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,yBAAyB,EAAE,KAAK,CAAC,CAAC;QAChD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,wBAAwB,CAAC;KACjC,WAAW,CACV,yEAAyE,CAC1E;KACA,MAAM,CAAC,KAAK,EAAE,YAAqB,EAAE,EAAE;IACtC,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,CAAC;IACpD,UAAU,CAAC,YAAY,CAAC,CAAC;AAC3B,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,KAAK,CAAC;KACd,WAAW,CAAC,iDAAiD,CAAC;KAC9D,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,kEAAkE;IAClE,mEAAmE;IACnE,iEAAiE;IACjE,kBAAkB;IAClB,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;AAClC,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;AAE5B,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IAClC,OAAO,CAAC,UAAU,EAAE,CAAC;AACvB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";;;;;AAAA,yCAAoC;AACpC,4CAAoB;AACpB,uDAAgD;AAChD,4CAAoB;AACpB,gDAAwB;AACxB,oEAA+D;AAC/D,kDAA2D;AAC3D,wDAAiE;AACjE,oDAA6D;AAC7D,gDAAyD;AACzD,4DAAqE;AACrE,kDAA2D;AAC3D,oDAA6D;AAC7D,gDAAyD;AACzD,oDAA6D;AAC7D,qDAA2E;AAC3E,2CAAkC;AAClC,mCAAsC;AAEtC,MAAM,OAAO,GAAG,IAAI,mBAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,QAAQ,CAAC;KACd,WAAW,CAAC,0DAA0D,CAAC;KACvE,OAAO,CAAC,eAAG,CAAC,OAAO,CAAC,CAAC;AAExB,mEAAmE;AACnE,oEAAoE;AACpE,uEAAuE;AACvE,mEAAmE;AACnE,WAAW;AACX,OAAO,CAAC,WAAW,CAAC,WAAW,EAAE,GAAG,EAAE;IACpC,MAAM,SAAS,GAAG,cAAI,CAAC,IAAI,CAAC,YAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;IACrD,MAAM,MAAM,GAAG,cAAI,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,cAAI,CAAC,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;IACrD,MAAM,WAAW,GAAG,YAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAG,YAAE,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IAEzC,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO;YACL,EAAE;YACF,KAAK,WAAG,CAAC,MAAM,IAAI,SAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,SAAC,CAAC,GAAG,CAAC,8BAA8B,CAAC,EAAE;YACzF,EAAE;YACF,OAAO,SAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,SAAC,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,SAAC,CAAC,GAAG,CAAC,+DAA+D,CAAC,EAAE;YAC5H,OAAO,SAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,SAAC,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,SAAC,CAAC,GAAG,CAAC,+BAA+B,CAAC,EAAE;YAC5F,EAAE;SACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC;IACD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;YACL,EAAE;YACF,KAAK,WAAG,CAAC,OAAO,IAAI,SAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,IAAI,SAAC,CAAC,GAAG,CAAC,mBAAmB,CAAC,EAAE;YAChF,EAAE;YACF,OAAO,SAAC,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE;YAC/B,EAAE;SACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC,CAAC,CAAC;AAEH,IAAA,6BAAmB,EAAC,OAAO,CAAC,CAAC;AAC7B,IAAA,+BAAoB,EAAC,OAAO,CAAC,CAAC;AAC9B,IAAA,6BAAmB,EAAC,OAAO,CAAC,CAAC;AAC7B,IAAA,iCAAqB,EAAC,OAAO,CAAC,CAAC;AAC/B,IAAA,iCAAqB,EAAC,OAAO,CAAC,CAAC;AAC/B,IAAA,qCAAuB,EAAC,OAAO,CAAC,CAAC;AACjC,IAAA,iCAAqB,EAAC,OAAO,CAAC,CAAC;AAC/B,IAAA,yCAAyB,EAAC,OAAO,CAAC,CAAC;AACnC,IAAA,+BAAoB,EAAC,OAAO,CAAC,CAAC;AAE9B,OAAO;KACJ,OAAO,CAAC,IAAI,CAAC;KACb,WAAW,CAAC,2CAA2C,CAAC;KACxD,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,iCAAgB,GAAE,CAAC;QAC/B,MAAM,UAAU,GAAG,MAAM,IAAA,uCAAiB,GAAE,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,MAAM,SAAC,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,SAAC,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;QAC3D,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;YACb,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,IAAA,WAAG,EAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;QAC7B,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,IAAI,IAAA,sCAAqB,EAAC,GAAG,CAAC,EAAE,CAAC;YAC/B,MAAM,IAAA,6BAAW,EAAC,UAAU,CAAC,CAAC;YAC9B,OAAO,CAAC,GAAG,CAAC,aAAa,UAAU,KAAK,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,yBAAyB,EAAE,KAAK,CAAC,CAAC;QAChD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,wBAAwB,CAAC;KACjC,WAAW,CACV,yEAAyE,CAC1E;KACA,MAAM,CAAC,KAAK,EAAE,YAAqB,EAAE,EAAE;IACtC,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,CAAC;IACpD,UAAU,CAAC,YAAY,CAAC,CAAC;AAC3B,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,KAAK,CAAC;KACd,WAAW,CAAC,iDAAiD,CAAC;KAC9D,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,kEAAkE;IAClE,mEAAmE;IACnE,iEAAiE;IACjE,kBAAkB;IAClB,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;AAClC,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;AAE5B,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IAClC,OAAO,CAAC,UAAU,EAAE,CAAC;AACvB,CAAC"}

package/dist/lib/audit-pack.js

@@ -0,0 +1,408 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuditPackError = exports.AUDIT_MAX_FILE_LINES = exports.AUDIT_MAX_TOTAL_BYTES = exports.AUDIT_MAX_FILES = void 0;
+exports.walkAuditPath = walkAuditPath;
+exports.assembleAuditArtifact = assembleAuditArtifact;
+exports.focusParagraph = focusParagraph;
+exports.buildAuditWork = buildAuditWork;
+/**
+ * Audit-pack assembly.
+ *
+ * Pure helpers for `chorus audit <path>`. Walk a path, read files,
+ * concatenate into a single artifact string the existing review-only
+ * substrate can consume.
+ *
+ * No HTTP, no daemon, no subprocess — only fs reads from a user-supplied
+ * path with the same defence-in-depth checks used by `packAttachedFiles`
+ * (no symlinks, no traversal, regular files only).
+ *
+ * Caps are intentionally aggressive. Audit's job is to narrow scope
+ * enough that a 5-reviewer fleet can produce useful findings on a
+ * single subsystem — not to scan a whole repo. Refuse early with a
+ * clear "narrow scope further" message when limits are exceeded.
+ */
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+/** Max number of files surveyed in one audit. */
+exports.AUDIT_MAX_FILES = 50;
+/** Max total bytes (across all files) emitted into the artifact. */
+exports.AUDIT_MAX_TOTAL_BYTES = 200 * 1024;
+/** Max lines retained per file before head+tail truncation kicks in. */
+exports.AUDIT_MAX_FILE_LINES = 2000;
+/** Lines retained from the head when a file is truncated. */
+const TRUNCATION_HEAD_LINES = 1500;
+/** Lines retained from the tail when a file is truncated. */
+const TRUNCATION_TAIL_LINES = 500;
+/**
+ * Extensions audit will read. Everything else is skipped silently and
+ * surfaced in the trailing "skipped" section. Lockfiles and binary
+ * formats are never useful in an audit artifact.
+ */
+/**
+ * Filename-based exclusions that run after the extension check.
+ * Lockfiles pass the .json / .yaml / .yml extension filter but are
+ * spec-banned ("Lockfiles and binary formats are never useful in an
+ * audit artifact" — planning/audit-mode.md). Convergent self-review
+ * (3/8 reviewers on PR #58) caught the divergence between spec and
+ * implementation. Match case-insensitively for cross-platform safety.
+ */
+const LOCKFILE_NAMES = new Set([
+    'package-lock.json',
+    'yarn.lock',
+    'pnpm-lock.yaml',
+    'cargo.lock',
+    'composer.lock',
+    'gemfile.lock',
+    'poetry.lock',
+    'go.sum',
+]);
+const ALLOWED_EXTENSIONS = new Set([
+    '.ts',
+    '.tsx',
+    '.js',
+    '.jsx',
+    '.mjs',
+    '.cjs',
+    '.py',
+    '.go',
+    '.rs',
+    '.java',
+    '.kt',
+    '.swift',
+    '.rb',
+    '.php',
+    '.c',
+    '.cpp',
+    '.h',
+    '.hpp',
+    '.cs',
+    '.sql',
+    '.sh',
+    '.bash',
+    '.yaml',
+    '.yml',
+    '.toml',
+    '.json',
+    '.md',
+]);
+/**
+ * Directories pruned at walk time. Keeps node_modules and build output
+ * out of the artifact even when the user points audit at a project
+ * root.
+ */
+const PRUNE_DIRS = new Set([
+    'node_modules',
+    '.git',
+    'dist',
+    'build',
+    '.next',
+    '__pycache__',
+    '.venv',
+    'venv',
+    'target',
+    'vendor',
+    '.turbo',
+    'coverage',
+    '.cache',
+]);
+/** Pure-error class for distinguishable failure modes in tests + callers. */
+class AuditPackError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.code = code;
+        this.name = 'AuditPackError';
+    }
+}
+exports.AuditPackError = AuditPackError;
+/**
+ * Walk a path and return absolute file paths under it. Resolves a single
+ * file to a one-element list; a directory is recursively walked with
+ * PRUNE_DIRS removed. Symlinks are rejected. Never crosses out of the
+ * input root.
+ */
+function walkAuditPath(rootAbs) {
+    const stat = fs.lstatSync(rootAbs);
+    if (stat.isSymbolicLink()) {
+        throw new AuditPackError('symlink_root', `audit path is a symlink — refusing to follow: ${rootAbs}`);
+    }
+    if (stat.isFile())
+        return [rootAbs];
+    if (!stat.isDirectory()) {
+        throw new AuditPackError('not_a_file_or_dir', `audit path is not a file or directory: ${rootAbs}`);
+    }
+    const out = [];
+    const stack = [rootAbs];
+    while (stack.length > 0) {
+        const dir = stack.pop();
+        let entries;
+        try {
+            entries = fs.readdirSync(dir, { withFileTypes: true });
+        }
+        catch {
+            continue;
+        }
+        for (const entry of entries) {
+            const full = path.join(dir, entry.name);
+            if (entry.isSymbolicLink())
+                continue;
+            if (entry.isDirectory()) {
+                // PRUNE_DIRS match is case-insensitive — Windows / macOS have
+                // case-insensitive filesystems and a folder named `Node_modules`
+                // should still get pruned. readdirSync never returns `.` or `..`
+                // as Dirent.name, so no `!== '.'` guard is needed.
+                if (PRUNE_DIRS.has(entry.name.toLowerCase()))
+                    continue;
+                if (entry.name.startsWith('.'))
+                    continue;
+                stack.push(full);
+                continue;
+            }
+            if (entry.isFile()) {
+                if (entry.name.startsWith('.'))
+                    continue;
+                if (LOCKFILE_NAMES.has(entry.name.toLowerCase()))
+                    continue;
+                out.push(full);
+            }
+        }
+    }
+    out.sort();
+    return out;
+}
+/**
+ * Read a file safely (O_NOFOLLOW on POSIX, lstat-then-read on Windows).
+ * Returns null on any failure or skip condition — callers decide whether
+ * to surface that as a skipped file or hard error.
+ *
+ * TOCTOU note: the read goes through the same fd we opened with
+ * O_NOFOLLOW, not the path string. A prior revision opened a fd, ran
+ * fstat, then re-read via readFileSync(path) — convergent self-review
+ * (5/8 reviewers on PR #58) flagged that a symlink swap between the
+ * stat and the re-read would defeat the O_NOFOLLOW guard. Reading from
+ * the fd closes the window.
+ */
+function readFileSafe(abs) {
+    try {
+        if (process.platform !== 'win32') {
+            let fd = -1;
+            try {
+                fd = fs.openSync(abs, fs.constants.O_RDONLY | fs.constants.O_NOFOLLOW);
+                const stat = fs.fstatSync(fd);
+                if (!stat.isFile())
+                    return null;
+                return fs.readFileSync(fd, 'utf-8');
+            }
+            finally {
+                if (fd >= 0)
+                    fs.closeSync(fd);
+            }
+        }
+        else {
+            // Windows fallback: lstat-then-read. The race window here is wider
+            // (no atomic O_NOFOLLOW equivalent) but Windows isn't the primary
+            // target for chorus audits. Documented as best-effort.
+            const lstat = fs.lstatSync(abs);
+            if (lstat.isSymbolicLink() || !lstat.isFile())
+                return null;
+            return fs.readFileSync(abs, 'utf-8');
+        }
+    }
+    catch {
+        return null;
+    }
+}
+/** Truncate a file's content head+tail with an elision marker. */
+function truncateFileBody(body) {
+    const lines = body.split('\n');
+    if (lines.length <= exports.AUDIT_MAX_FILE_LINES) {
+        return { body, truncated: false, originalLines: lines.length };
+    }
+    const head = lines.slice(0, TRUNCATION_HEAD_LINES).join('\n');
+    const tail = lines.slice(lines.length - TRUNCATION_TAIL_LINES).join('\n');
+    const elided = lines.length - TRUNCATION_HEAD_LINES - TRUNCATION_TAIL_LINES;
+    return {
+        body: `${head}\n\n... [${elided} lines elided] ...\n\n${tail}`,
+        truncated: true,
+        originalLines: lines.length,
+    };
+}
+/** Strip leading dot from extension; empty extension returns ''. */
+function extLangHint(ext) {
+    return ext.startsWith('.') ? ext.slice(1) : ext;
+}
+/**
+ * Build the audit artifact from a list of absolute file paths under a
+ * root. Files outside `rootAbs` are rejected. Enforces all caps and
+ * surfaces both included and skipped files in the result.
+ */
+function assembleAuditArtifact(rootAbs, files, opts) {
+    if (files.length === 0) {
+        throw new AuditPackError('no_files_matched', `no files matched under ${rootAbs} — check the path or extension allowlist`);
+    }
+    // Filter by extension allowlist + lockfile blocklist; keep the
+    // rejected ones for surfacing. Also enforces root-containment:
+    // every file must live under `rootAbs` (closing the docstring
+    // promise that a prior revision left unimplemented — 4/8 reviewers
+    // on PR #58 flagged this as a path-traversal hole when callers
+    // bypass walkAuditPath).
+    const eligible = [];
+    const skipped = [];
+    for (const abs of files) {
+        if (!abs.startsWith(rootAbs + path.sep) && abs !== rootAbs) {
+            throw new AuditPackError('outside_root', `file is outside the audit root (rootAbs=${rootAbs}, file=${abs})`);
+        }
+        const base = path.basename(abs).toLowerCase();
+        if (LOCKFILE_NAMES.has(base)) {
+            skipped.push(abs);
+            continue;
+        }
+        if (ALLOWED_EXTENSIONS.has(path.extname(abs).toLowerCase())) {
+            eligible.push(abs);
+        }
+        else {
+            skipped.push(abs);
+        }
+    }
+    if (eligible.length === 0) {
+        throw new AuditPackError('no_files_matched', `no files matched the extension allowlist under ${rootAbs} — audit reads source code only`);
+    }
+    if (eligible.length > exports.AUDIT_MAX_FILES) {
+        throw new AuditPackError('too_many_files', `audit matched ${eligible.length} files; cap is ${exports.AUDIT_MAX_FILES}. Narrow the scope (point at a subdirectory or specific file).`);
+    }
+    // Read + truncate. Build content blocks and tally bytes.
+    const blocks = [];
+    const includedRel = [];
+    const skippedRel = skipped.map((abs) => toDisplay(rootAbs, abs));
+    let totalBytes = 0;
+    for (const abs of eligible) {
+        const display = toDisplay(rootAbs, abs);
+        const body = readFileSafe(abs);
+        if (body === null) {
+            skippedRel.push(`${display} (read failed)`);
+            continue;
+        }
+        const { body: bodyOut, truncated, originalLines } = truncateFileBody(body);
+        // Build the full markdown block before measuring. Counting only the
+        // raw file body underestimated the artifact size by header + fence
+        // overhead (~80-120 bytes per file). Convergent self-review (3/8 on
+        // PR #58) flagged that AuditPackResult.totalBytes — documented as
+        // "bytes of file content emitted into the artifact" — must reflect
+        // what actually gets POSTed, not just the body, so the cap and the
+        // reported number stay apples-to-apples.
+        const ext = extLangHint(path.extname(display));
+        const header = truncated
+            ? `## \`${display}\` (${originalLines} lines, truncated)`
+            : `## \`${display}\` (${originalLines} lines)`;
+        const block = `${header}\n\n\`\`\`${ext}\n${bodyOut}\n\`\`\``;
+        const bytes = Buffer.byteLength(block, 'utf-8');
+        if (totalBytes + bytes > exports.AUDIT_MAX_TOTAL_BYTES) {
+            const after = includedRel.length === 0
+                ? 'before including any files'
+                : `after ${includedRel.length} file${includedRel.length === 1 ? '' : 's'}`;
+            throw new AuditPackError('too_many_bytes', `audit content would exceed ${exports.AUDIT_MAX_TOTAL_BYTES}-byte cap ${after}. Narrow the scope.`);
+        }
+        blocks.push(block);
+        totalBytes += bytes;
+        includedRel.push(display);
+    }
+    if (includedRel.length === 0) {
+        throw new AuditPackError('all_files_unreadable', `every candidate file under ${rootAbs} failed to read — check permissions or symlink layout`);
+    }
+    const heading = `# Audit: ${opts.scope}`;
+    const intro = opts.focusParagraph ? `\n${opts.focusParagraph.trim()}\n` : '';
+    const skipNote = skippedRel.length > 0
+        ? `\n---\n\n**Skipped (${skippedRel.length} file${skippedRel.length === 1 ? '' : 's'} — extension not in allowlist or read failed):**\n${skippedRel.map((p) => `- \`${p}\``).join('\n')}\n`
+        : '';
+    const artifact = `${heading}\n${intro}\n---\n\n${blocks.join('\n\n')}\n${skipNote}`;
+    return {
+        artifact,
+        filesIncluded: includedRel,
+        filesSkipped: skippedRel,
+        totalBytes,
+    };
+}
+/** Display path: relative to root if under it, else basename. */
+function toDisplay(rootAbs, fileAbs) {
+    const rel = path.relative(rootAbs, fileAbs);
+    if (!rel || rel.startsWith('..'))
+        return path.basename(fileAbs);
+    return rel;
+}
+/**
+ * Focus-paragraph map. Pure data so the CLI flag handler and tests
+ * stay aligned. `all` returns undefined — no paragraph injected.
+ */
+function focusParagraph(focus) {
+    switch (focus) {
+        case 'security':
+            return 'Focus on: authentication, authorization, input validation, secret handling, injection vectors, SSRF, race conditions, and any place the code trusts external input.';
+        case 'correctness':
+            return 'Focus on: off-by-one errors, null/undefined handling, race conditions, error swallowing, and edge cases the happy path obscures.';
+        case 'performance':
+            return 'Focus on: N+1 patterns, unnecessary work in hot paths, blocking I/O on event loops, and unbounded memory growth.';
+        case 'maintainability':
+            return 'Focus on: code that future maintainers will struggle with — unclear naming, hidden coupling, missing types, dead branches, and abstractions that do not pay rent.';
+        case 'all':
+        case '':
+        case undefined:
+            return undefined;
+        default:
+            // Unknown focus value — caller validates upstream; here we just
+            // pass it through as a free-form paragraph so power users can
+            // pipe arbitrary framing in if they want.
+            return focus;
+    }
+}
+/**
+ * Build the audit `work` brief — the framing reviewers see in their
+ * ask.md before the artifact. This is what turns review-only into
+ * audit-mode without any runner changes.
+ */
+function buildAuditWork(scope, focusPara) {
+    const lines = [];
+    lines.push(`You are auditing existing production code (scope: ${scope}).`);
+    lines.push('');
+    lines.push('This code already ships. Your job is to find real bugs, security risks, and correctness issues — not style nits. Be specific: file:line, what is wrong, what would fix it.');
+    if (focusPara) {
+        lines.push('');
+        lines.push(focusPara);
+    }
+    lines.push('');
+    lines.push('List your findings as a markdown list sorted high → low severity, then end your review with "approve" if you found nothing high-severity, or "request changes" if you did.');
+    return lines.join('\n');
+}
+//# sourceMappingURL=audit-pack.js.map