The 272-line report was a summary, not a report. The user wanted
the actual evidence inlined. This version embeds:
- Full per-aggregate .md profiles (15 sections each)
- Full SSDL analysis rollup
- Full organization deductions
- Full call graph
- Full hot paths
- Full field usage
- Full decomposition matrix
- Full cross-audit summary
- Full dead fields
- Full candidates
- Full top-level summary
Total: 2009 lines. The user can read it as a single document or
grep for specific aggregates/sections.
The audit output is a database dump (49 files, 3 redundant formats
each). The user wanted ONE thing they can read. This is the
narrative version: 1 file that opens with the verdict, walks
through findings by severity, gives the Metadata deep dive, and
ends with prioritized restructuring routes.
Original 49 files (10 top-level rollups + 13 aggregates x 3 formats)
preserved as supporting detail. See Section 10 'See Also' for
the full artifact inventory.
The previous code did Path(src_dir) / function_ref.file, which
double-prefixed (e.g. src/src/project_manager.py) and silently
returned empty. Fixed: if function_ref.file exists as
CWD-relative, use it directly. Only join if it doesn't exist.
Now 130 real field accesses detected across 35 Metadata consumers
in the 2026-06-22 audit output (was 0 before).
The aggregate_findings function now does 3-tier mapping:
1. Function lookup (find_enclosing_function) -> exact match
2. File-level fallback: if the finding's file has any
producer/consumer of the aggregate, bucket it there
3. Unbucketed (the file has no aggregate refs)
Handles both 'file' and 'filename' keys (v1 audit scripts use
'filename'; spec fixtures use 'file'). Path normalization
for Windows paths.
Generated the 6 real audit_inputs from scripts/audit_*.py
against real src/. The Metadata aggregate now shows:
- 1 unique weak_types finding (1 site, from ai_client.py:159)
- 1 unique exception_handling finding (76 sites from PARAM_OPTIONAL)
mcp_client.py shows 0 because no Metadata producer/consumer
exists in the PCG for mcp_client (P1/P2 only detect typed
parameter signatures, not internal field access). The next
gap is expanding P3 to capture internal field use.
Loops over audit_weak_types + audit_exception_handling from
the 6 audit_inputs, calls aggregate_cross_audit_findings per
audit, sums the buckets per profile.
Cross-audit aggregation is per-aggregate-flat (all findings go
into 1 bucket per audit). The 3-tier finding-to-aggregate
mapping (find_enclosing_function + type registry + file
heuristic) is the next gap - requires per-finding site
classification.
13 aggregate profiles (10 real + 3 candidate placeholders)
+ 4 top-level rollups. Per the spec, the 3 candidate
aggregates (ToolSpec, ChatMessage, ProviderHistory) are
forward-compat placeholders for any_type_componentization_20260621
(NOT on master); the audit's report includes them with
is_candidate: True.
ed